not-a-virus.AdWare.Win32.Hebogo.acn_65420dc6c8

by malwarelabrobot on March 7th, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.Hebogo.acn (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 65420dc6c8a8bc9e5fb759d0edc2517e
SHA1: a46989879fa13fab7a13d4ec2a8cfcc20b8acca0
SHA256: d5d7de7afe5f0fcd9052d4eb5384b508e5bf562734258f0ce2d7b2de3ceef204
SSDeep: 24576:0cgCYQ1LGum4sx8Kofd/uV wCD7fGJUOX:LgCh1LGumhuW HzGiOX
Size: 837328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-11-06 21:53:27
Analyzed on: WindowsXP SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

WinCtrProc.exe:1076
WinCtrProc.exe:548
WinCtrProc.exe:1840
WinCtrProc.exe:320
%original file name%.exe:2040
WinCtrCon.exe:1376
WinCtrCon.exe:1888
WinCtrCon.exe:1332
irsetup.exe:652

The not-a-virus injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WinCtrProc.exe:1076 makes changes in the file system.
The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF92EA.tmp (0 bytes)

The process WinCtrProc.exe:548 makes changes in the file system.
The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DFF0D1.tmp (0 bytes)

The process WinCtrProc.exe:1840 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AskIP[1].htm (28 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (48057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FcPimSLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WinCtrCon[1].exe (49345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\TransSiteString[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\UCg_LPrMLab[1].htm (409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\StakePsList[1].htm (917 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DFD266.tmp (0 bytes)

The process WinCtrProc.exe:320 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FcPimSLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Uninstall_Ctr[1].exe (21953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\keyword_platinum[1].htm (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\TransSiteString[1].htm (12 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (47561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FormLocation[2].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AskIP[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FcPimSLab[2].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\TransSiteString[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\UCg_LPrMLab[2].htm (409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\UCg_LPrMLab[1].htm (409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\UCg_LPrMLab[3].htm (409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\TransSiteString[2].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WinCtrCon[1].exe (49345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AskIP[2].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FcPimSLab[3].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\keyword_platinum[2].htm (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AskIP[2].htm (28 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (21953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\keyword_platinum[1].htm (237 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\TransSiteString[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\StakePsList[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WinCtrCon[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\UCg_LPrMLab[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\keyword_platinum[2].htm (0 bytes)

The process %original file name%.exe:2040 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process WinCtrCon.exe:1376 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FcTimeLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sTakeList[1].htm (917 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF220D.tmp (0 bytes)

The process WinCtrCon.exe:1888 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FcTimeLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ProgramUpdateLab[1].htm (19 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF66F2.tmp (0 bytes)

The process WinCtrCon.exe:1332 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (424825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FcTimeLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WinCtrProc[1].exe (424825 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF3AA3.tmp (0 bytes)

The process irsetup.exe:652 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%System%\VB6KO.DLL (2712 bytes)
%System%\MSINET.OCX (2784 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

Registry activity

The process WinCtrProc.exe:1076 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 42 5E BF E5 5D 33 FF 57 9C 14 AA 3E 2D F1 0F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process WinCtrProc.exe:548 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 CB B1 E7 44 B9 C8 DE 18 D9 5E A7 D4 4C D2 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process WinCtrProc.exe:1840 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"USER_NO" = "3199"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinCtrView]
"AdFlag" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Intro_No" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\WinCtrView]
"Version" = "1815"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 AE 8C AD 78 39 AE A0 C3 EF FB 6D 5A 69 36 D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -jDulyJs"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -jDulyJs"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

"AutoConfigURL"

The not-a-virus disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

The process WinCtrProc.exe:320 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"USER_NO" = "3199"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\WinCtrView]
"Commit" = "Y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinCtrView]
"ver" = "sup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Upmom" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\WinCtrView]
"firstTime" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\WinCtrView]
"Actdate" = "3/6/2016"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\WinCtrView]
"Version" = "1815"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 0C CF 03 5C D6 8D 46 D6 02 6D EE DA E0 CF 38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -gArhvG"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -gArhvG"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

"AutoConfigURL"

The not-a-virus disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

The process %original file name%.exe:2040 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F E7 70 C5 63 B0 54 8E FF 5E 0C BB CA 4F 15 C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WinCtrCon.exe:1376 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion]
"WinCtrProc.exe" = "WinCtrProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 BD DF 00 7D 43 05 C0 3D 54 9F 82 D8 84 44 C7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\WinCtrView]
"MomDate" = "3/6/2016"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -fAqhvF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -fAqhvF"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

"AutoConfigURL"
"ProxyOverride"

The not-a-virus disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"

The process WinCtrCon.exe:1888 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 66 34 2E 80 31 DF 6D 0D 34 06 E4 60 C4 9F 81"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\WinCtrView]
"MomDate" = "3/6/2016"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -hCsjxH"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -hCsjxH"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

"AutoConfigURL"
"ProxyOverride"

The not-a-virus disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"

The process WinCtrCon.exe:1332 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKCU\Software\WinCtrView]
"Upmom" = "N"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\WinCtrView]
"Commit" = "N"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\WinCtrView]
"Version" = "1435"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A DC 0A 61 37 A8 53 64 4A 18 90 A7 CE BC B0 C4"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKCU\Software\WinCtrView]
"firstTime" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "%System%\MSINET.OCX, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\WinCtrView]
"MomDate" = "3/6/2016"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -SndUi"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"

The not-a-virus deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

The not-a-virus disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"

The process irsetup.exe:652 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"PDR" = "asdfaeiqwerh"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKCU\Software\WinCtrView]
"SUBNAME" = "MAIN"
"Commit" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\WinCtrView]
"CURDIR" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\WinCtrView]
"ver" = "sup"
"USER_NO" = "3199"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\WinCtrView]
"Version" = "0000"
"S_NO" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 78 94 97 5D 65 C5 91 AE B9 F1 65 32 59 E6 A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Upmom" = "Y"
"Owner" = "admin"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrProc.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrCon.exe"

Dropped PE files

MD5 File path
c536885e1cd75326783ec60c7aa3e350 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe
cc263f5d618bd09348e15dd5092ec0aa c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe
85c171d8f7315238df1bc6b1fa16737c c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe
3fe7c92dba5c9240b4ab0d6a87e6166a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe
c536885e1cd75326783ec60c7aa3e350 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Uninstall_Ctr[1].exe
cc263f5d618bd09348e15dd5092ec0aa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WinCtrCon[1].exe
85c171d8f7315238df1bc6b1fa16737c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WinCtrProc[1].exe
90a39346e9b67f132ef133725c487ff6 c:\WINDOWS\system32\MSINET.OCX
84742b5754690ed667372be561cf518d c:\WINDOWS\system32\VB6KO.DLL

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Setup Factory 8.0 Runtime
Product Version: 8.2.1.0
Legal Copyright: Setup Engine Copyright (c) 2004-2009 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf80_launch.exe
Internal Name: suf80_launch
File Version: 8.2.1.0
File Description: Setup Application
Comments: Created with Setup Factory 8.0
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 28836 32768 4.26507 a8dbcac095aef6f1ff0f56e91c5abc15
.rdata 36864 10370 12288 3.44532 efb6029b9a5f70171975f6b5a16c78ce
.data 49152 6440 4096 1.54728 cf8d7dd9f4b828868db85743b8601f51
.rsrc 57344 28040 28672 4.06487 05962a2c16ea40395e7b662814eba9fd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 98
0e1bf09cea8e7cf2d8ff215b54ccc3ff
1bc64dbfe22d0945161fb563f5a606fb
e123f2f40b357f0016fb5bf495c4ef43
853f90ab74d1008d0ba93c07df9584c6
da755f638348508133fce2d595ba97bd
7abeba6239fd4d4541737ee65df6a1bf
c7d5988a2afd6f1fce4ee439d764ed37
db762c79ed41d5c3f8d7f230ac8d33dc
ebe594af090d6546b5e2b9ccf897db73
56e27cd6b6997470ce0f3b92af3cb187
2789f08ba3fb2a5bcd5f112d363bd999
c0b4142eb72fe956e74c584b1215907a
39fe8d114fcb62b2e6be3d097edacbf3
61b81d2cf8bded72d6158892ff0b5b20
967b49a0114e7e5b45f66aae62735515
24ff3bf86d40ac0a0477740ce344d0cf
12dd91b22af7ff74acfe4607a6948385
c4d423533c62c52389640fb4b26f5361
d7a544365dfede8355841e2a3fa007cd
4b14a102a3cbc077af938376cdffb1f6
14b52c794216c9bb7a93afbeb41cf065
aa55d3b8b236f4cffac5a3aa2bd868f3
31be43b7df97c4bb0fab6501b5ae6a23
d91483756010b48c16abd9217cb76e1b
2fa3858a740d0a6f9081a2a147431038

URLs

URL IP
hxxp://mainserver.kr/Config/sTakeList.asp?n=3199 220.73.162.57
hxxp://220.73.162.60/Config/AdNw/FcTimeLab.asp
hxxp://220.73.162.60/Config/NewConf/ProgramUpdateLab.asp?version=1435
hxxp://micronames.co.kr/Download/WinCtrProc.exe 220.73.162.14
hxxp://itemprice.kr/Config/AdNw/StakePsList.asp?uno=3199 220.73.162.55
hxxp://220.73.162.56/Config/AskIP.asp
hxxp://220.73.162.56/Config/FormLocation.asp
hxxp://220.73.162.56/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.56/Config/newConf/UCg_LPrMLab.asp?user_no=3199
hxxp://220.73.162.56/Config/TransSiteString.asp?nation=KOREA
hxxp://220.73.162.2/Download/WinCtrCon.exe
hxxp://koreaserver.kr/Config/sTakeList.asp?n=3199 220.73.162.56
hxxp://220.73.162.61/Config/AdNw/FcTimeLab.asp
hxxp://220.73.162.61/Config/NewConf/ProgramUpdateLab.asp?version=1815
hxxp://220.73.162.29/Config/AskIP.asp
hxxp://220.73.162.29/Config/FormLocation.asp
hxxp://220.73.162.29/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.29/Config/newConf/UCg_LPrMLab.asp?user_no=3199
hxxp://220.73.162.29/Config/TransSiteString.asp?nation=KOREA
hxxp://220.73.162.29/config/keyword_platinum.asp?user_no=3199&SubName=MAIN
hxxp://220.73.162.29/Config/ipget.asp?kn=every&usd=3199&SubName=MAIN&preid=0&ver=sup&Version=1815
hxxp://domainserver.co.kr/Config/sTakeList.asp?n=3199 220.73.162.53
hxxp://220.73.162.2/Download/Uninstall_Ctr.exe
hxxp://220.73.162.37/Config/AdNw/FcTimeLab.asp
hxxp://domainserver.co.kr/Config/AdNw/StakePsList.asp?uno=3199 220.73.162.53
hxxp://220.73.162.25/Config/AskIP.asp
hxxp://220.73.162.25/Config/FormLocation.asp
hxxp://220.73.162.37/Config/NewConf/ProgramUpdateLab.asp?version=1815
hxxp://hostserver.kr/Config/AdNw/StakePsList.asp?uno=3199 220.73.162.54
hxxp://220.73.162.26/Config/AskIP.asp
hxxp://220.73.162.26/Config/FormLocation.asp
hxxp://220.73.162.26/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.26/Config/newConf/UCg_LPrMLab.asp?user_no=3199
hxxp://220.73.162.26/Config/TransSiteString.asp?nation=KOREA
hxxp://220.73.162.26/config/keyword_platinum.asp?user_no=3199&SubName=MAIN
hxxp://220.73.162.25/Config/AdNw/FcPimSLab.asp


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Config/sTakeList.asp?n=3199 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: domainserver.co.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQTCBBSS=CEINONOBLJKNOGIPMCJLINKL; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:31 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDAQTCBBSS=CEINONOBLJKNOGIPMCJLINKL; path=/..X-Powered-By: ASP.NET.
.Date: Sun, 06 Mar 2016 07:28:31 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Config/sTakeList.asp?n=3199 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: koreaserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQSBBCQS=KEJFLNOBHAFJCMPKOLJGLLBK; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:58 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDCQSBBCQS=KEJFLNOBHAFJCMPKOLJGLLBK; path=/..X-Powered-By: ASP.NET.
.Date: Sun, 06 Mar 2016 07:27:58 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Config/AdNw/FcTimeLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.60
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQTADCQQ=KLININOBNCIIGHANBMJPKPMP; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:39 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y..HTTP/1.1 200 OK..Cache-Control: private..Content-Leng
th: 157..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cooki
e: ASPSESSIONIDSQTADCQQ=KLININOBNCIIGHANBMJPKPMP; path=/..X-Powered-By
: ASP.NET..Date: Sun, 06 Mar 2016 07:27:39 GMT..5|5|60|hXXp://loadform
.co.kr/Download,hXXp://220.73.162.2/Download,hXXp://220.73.162.3/Downl
oad,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..t>....


GET /Config/NewConf/ProgramUpdateLab.asp?version=1435 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.60
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQTADCQQ=KLININOBNCIIGHANBMJPKPMP


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:41 GMT
1815|WinCtrProc.exeHTTP/1.1 200 OK..Cache-Control: private..Content-Le
ngth: 19..Content-Type: text/html..Server: Microsoft-IIS/7.0..X-Powere
d-By: ASP.NET..Date: Sun, 06 Mar 2016 07:27:41 GMT..1815|WinCtrProc.ex
e..



GET /Config/AdNw/StakePsList.asp?uno=3199 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: itemprice.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDASRAADTT=HMFCPMOBNLGPPLMGGBEFAEGN; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:01 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDASRAADTT=HMFCPMOBNLGPPLMGGBEFAEGN; path=/..X-Powered-By: ASP.NET.
.Date: Sun, 06 Mar 2016 07:27:01 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Config/AskIP.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 28
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:23 GMT
194.242.96.218|220.73.162.26....


GET /Config/FormLocation.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:24 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.co
m/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.na
ver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.
com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962
|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#
..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.
naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|
C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/pe
tition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|
58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|90
0|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430
#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http
://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..h
ttp://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9
|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|90
0|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34
|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|5
8.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C
|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafeh
ome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_t
op_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media
.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:24 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y......


GET /Config/newConf/UCg_LPrMLab.asp?user_no=3199 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 409
Content-Type: text/html
Expires: Sun, 06 Mar 2016 07:27:25 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:24 GMT
KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_
search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.51/config/
LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=
,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[
1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.
asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|90|Y|60|Y|85|....


GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24143
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:25 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?
p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u]
,ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com
/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1
],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.
yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWO
RD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http
://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.y
ahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.
com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http:
//fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://tran
slate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JA
PAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http
://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF
-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.n
aver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[
1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.se
arch.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][
KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,h
ttp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<< skipped >>>

GET /config/keyword_platinum.asp?user_no=3199&SubName=MAIN HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 237
Content-Type: text/html
Expires: Sun, 06 Mar 2016 07:27:26 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:25 GMT
[icon][/icon][startpage][/startpage][startpop][/startpop][popup][/popu
p][adminkeywordpop][/adminkeywordpop][keywordpop]|[/keywordpop][ver]su
p[/ver][overtureflag]Y[/overtureflag][platinumflag]N[/platinumflag][di
stinctflag]Y[/distinctflag]HTTP/1.1 200 OK..Cache-Control: private..Co
ntent-Length: 237..Content-Type: text/html..Expires: Sun, 06 Mar 2016 
07:27:26 GMT..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: 
Sun, 06 Mar 2016 07:27:25 GMT..[icon][/icon][startpage][/startpage][st
artpop][/startpop][popup][/popup][adminkeywordpop][/adminkeywordpop][k
eywordpop]|[/keywordpop][ver]sup[/ver][overtureflag]Y[/overtureflag][p
latinumflag]N[/platinumflag][distinctflag]Y[/distinctflag]....


GET /Config/newConf/UCg_LPrMLab.asp?user_no=3199 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 409
Content-Type: text/html
Expires: Sun, 06 Mar 2016 07:27:27 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:27 GMT
KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_
search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.53/config/
LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=
,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[
1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.
asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|90|Y|60|Y|85|....


GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.26
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQARTDQS=LCCCKMOBJPPFBCPBLEONBILC


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24143
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:27 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?
p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u]
,ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com
/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1
],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.
yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWO
RD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http
://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.y
ahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.
com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http:
//fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://tran
slate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JA
PAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http
://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF
-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.n
aver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[
1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.se
arch.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][
KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,h
ttp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<< skipped >>>


GET /Config/AdNw/FcTimeLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.61
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACTSTATB=DDCLJNOBEECGLLBODCJLIIBH; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:02 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y..HTTP/1.1 200 OK..Cache-Control: private..Content-Leng
th: 157..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cooki
e: ASPSESSIONIDACTSTATB=DDCLJNOBEECGLLBODCJLIIBH; path=/..X-Powered-By
: ASP.NET..Date: Sun, 06 Mar 2016 07:28:02 GMT..5|5|60|hXXp://loadform
.co.kr/Download,hXXp://220.73.162.2/Download,hXXp://220.73.162.3/Downl
oad,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..t>....


GET /Config/NewConf/ProgramUpdateLab.asp?version=1815 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.61
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDACTSTATB=DDCLJNOBEECGLLBODCJLIIBH


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:04 GMT
1815|WinCtrProc.exeHTTP/1.1 200 OK..Cache-Control: private..Content-Le
ngth: 19..Content-Type: text/html..Server: Microsoft-IIS/7.0..X-Powere
d-By: ASP.NET..Date: Sun, 06 Mar 2016 07:28:04 GMT..1815|WinCtrProc.ex
e..



GET /Config/AdNw/StakePsList.asp?uno=3199 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: hostserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSQBBCRR=HHMPINOBJLMDBJEPMLGPGDLL; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:22 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDQSQBBCRR=HHMPINOBJLMDBJEPMLGPGDLL; path=/..X-Powered-By: ASP.NET.
.Date: Sun, 06 Mar 2016 07:28:22 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Config/AskIP.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 28
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCCTBQRD=HNEFGNOBJDKLIMEDBMGOMOJO; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:14 GMT
194.242.96.218|220.73.162.29....


GET /Config/FormLocation.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCCCTBQRD=HNEFGNOBJDKLIMEDBMGOMOJO


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:14 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.co
m/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.na
ver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.
com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962
|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#
..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.
naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|
C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/pe
tition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|
58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|90
0|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430
#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http
://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..h
ttp://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9
|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|90
0|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34
|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|5
8.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C
|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafeh
ome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_t
op_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media
.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCCCTBQRD=HNEFGNOBJDKLIMEDBMGOMOJO


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:15 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y......


GET /Config/newConf/UCg_LPrMLab.asp?user_no=3199 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCCCTBQRD=HNEFGNOBJDKLIMEDBMGOMOJO


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 409
Content-Type: text/html
Expires: Sun, 06 Mar 2016 07:28:16 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:15 GMT
KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_
search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.53/config/
LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=
,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[
1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.
asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|90|Y|60|Y|85|....


GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCCCTBQRD=HNEFGNOBJDKLIMEDBMGOMOJO


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12071
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:17 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?
p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u]
,ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com
/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1
],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.
yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWO
RD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http
://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.y
ahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.
com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http:
//fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://tran
slate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JA
PAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http
://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF
-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.n
aver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[
1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.se
arch.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][
KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,h
ttp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<< skipped >>>

GET /config/keyword_platinum.asp?user_no=3199&SubName=MAIN HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCCCTBQRD=HNEFGNOBJDKLIMEDBMGOMOJO


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 237
Content-Type: text/html
Expires: Sun, 06 Mar 2016 07:28:21 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:20 GMT
[icon][/icon][startpage][/startpage][startpop][/startpop][popup][/popu
p][adminkeywordpop][/adminkeywordpop][keywordpop]|[/keywordpop][ver]su
p[/ver][overtureflag]Y[/overtureflag][platinumflag]N[/platinumflag][di
stinctflag]Y[/distinctflag]....


GET /Config/ipget.asp?kn=every&usd=3199&SubName=MAIN&preid=0&ver=sup&Version=1815 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.29
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCCCTBQRD=HNEFGNOBJDKLIMEDBMGOMOJO


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Sun, 06 Mar 2016 07:28:21 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:20 GMT
HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Content-Ty
pe: text/html..Expires: Sun, 06 Mar 2016 07:28:21 GMT..Server: Microso
ft-IIS/7.0..X-Powered-By: ASP.NET..Date: Sun, 06 Mar 2016 07:28:20 GMT
..



GET /Download/WinCtrCon.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.2
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Mar 2016 10:11:40 GMT
Accept-Ranges: bytes
ETag: "f7103e143575d11:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:05:56 GMT
Content-Length: 108344
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......}...9...9...
9.......8...P...?.......8...Rich9...........PE..L......V..............
...`... [email protected]......
.................................b..(.......................8.........
..........................................(... ....... ...............
.............text...$[.......`.................. ..`.data........p....
[email protected]...............................@..@l.[J....
........MSVBVM60.DLL..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /Download/Uninstall_Ctr.exe HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.2
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 19 Jan 2016 00:55:41 GMT
Accept-Ranges: bytes
ETag: "707adb1e5452d11:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:05:59 GMT
Content-Length: 194376
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........y.........
....................`.......Rich............................PE..L.....
.V..................... .......)............@.........................
........M.......................................4...(.......@.........
......H...................................................8... .......
.............................text............................... ..`.d
[email protected]...@.......................
....@..@l.[J............MSVBVM60.DLL..................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Config/AskIP.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.56
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 28
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQSBBCQS=BAJFLNOBBMFMIGDHEHAHAJAL; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:49 GMT
194.242.96.218|220.73.162.56....


GET /Config/FormLocation.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.56
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCQSBBCQS=BAJFLNOBBMFMIGDHEHAHAJAL


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:49 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.co
m/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.na
ver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.
com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962
|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#
..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.
naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|
C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/pe
tition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|
58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|90
0|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430
#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http
://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..h
ttp://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9
|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|90
0|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34
|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|5
8.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C
|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafeh
ome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_t
op_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media
.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.56
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCQSBBCQS=BAJFLNOBBMFMIGDHEHAHAJAL


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:50 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y......


GET /Config/newConf/UCg_LPrMLab.asp?user_no=3199 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.56
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCQSBBCQS=BAJFLNOBBMFMIGDHEHAHAJAL


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 409
Content-Type: text/html
Expires: Sun, 06 Mar 2016 07:27:50 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:50 GMT
KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_
search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.50/config/
LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=
,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[
1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.
asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|90|Y|60|Y|85|....


GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.56
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCQSBBCQS=BAJFLNOBBMFMIGDHEHAHAJAL


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24143
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:50 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?
p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u]
,ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com
/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1
],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.
yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWO
RD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http
://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.y
ahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.
com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http:
//fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://tran
slate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JA
PAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http
://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF
-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.n
aver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[
1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.se
arch.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][
KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,h
ttp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<< skipped >>>


GET /Config/AskIP.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.25
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 28
Content-Type: text/html
Server: Microsoft-IIS/8.0
Set-Cookie: ASPSESSIONIDASADRSSQ=PLFLINOBGNFILJODFOCHJDFE; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:39 GMT
194.242.96.218|220.73.162.25....


GET /Config/FormLocation.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.25
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDASADRSSQ=PLFLINOBGNFILJODFOCHJDFE


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:39 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.co
m/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.na
ver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.
com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962
|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#
..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.
naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|
C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/pe
tition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|
58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|90
0|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430
#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http
://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..h
ttp://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9
|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|90
0|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34
|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|5
8.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C
|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafeh
ome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_t
op_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media
.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.25
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/8.0
Set-Cookie: ASPSESSIONIDASADRSSQ=JMFLINOBDPBKJAAHMGJPPIKD; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:44 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y..HTTP/1.1 200 OK..Cache-Control: private..Content-Leng
th: 157..Content-Type: text/html..Server: Microsoft-IIS/8.0..Set-Cooki
e: ASPSESSIONIDASADRSSQ=JMFLINOBDPBKJAAHMGJPPIKD; path=/..X-Powered-By
: ASP.NET..Date: Sun, 06 Mar 2016 07:28:44 GMT..5|5|60|hXXp://loadform
.co.kr/Download,hXXp://220.73.162.2/Download,hXXp://220.73.162.3/Downl
oad,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y....



GET /Config/AdNw/FcTimeLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSSBCART=NPFFJNOBDAEAAKNLDEEDFCGM; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:29:34 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y..HTTP/1.1 200 OK..Cache-Control: private..Content-Leng
th: 157..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cooki
e: ASPSESSIONIDCSSBCART=NPFFJNOBDAEAAKNLDEEDFCGM; path=/..X-Powered-By
: ASP.NET..Date: Sun, 06 Mar 2016 07:29:34 GMT..5|5|60|hXXp://loadform
.co.kr/Download,hXXp://220.73.162.2/Download,hXXp://220.73.162.3/Downl
oad,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..t>....


GET /Config/NewConf/ProgramUpdateLab.asp?version=1815 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.37
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCSSBCART=NPFFJNOBDAEAAKNLDEEDFCGM


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:29:37 GMT
1815|WinCtrProc.exeHTTP/1.1 200 OK..Cache-Control: private..Content-Le
ngth: 19..Content-Type: text/html..Server: Microsoft-IIS/7.0..X-Powere
d-By: ASP.NET..Date: Sun, 06 Mar 2016 07:29:37 GMT..1815|WinCtrProc.ex
e..



GET /Download/WinCtrCon.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.2
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Mar 2016 10:11:40 GMT
Accept-Ranges: bytes
ETag: "f7103e143575d11:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:05:42 GMT
Content-Length: 108344
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......}...9...9...
9.......8...P...?.......8...Rich9...........PE..L......V..............
...`... [email protected]......
.................................b..(.......................8.........
..........................................(... ....... ...............
.............text...$[.......`.................. ..`.data........p....
[email protected]...............................@..@l.[J....
........MSVBVM60.DLL..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Config/sTakeList.asp?n=3199 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: mainserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSQBCCTR=DFFFOMOBINCLELIDNJJMEHOC; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:07 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDQSQBCCTR=DFFFOMOBINCLELIDNJJMEHOC; path=/..X-Powered-By: ASP.NET.
.Date: Sun, 06 Mar 2016 07:28:07 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Config/AdNw/StakePsList.asp?uno=3199 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: domainserver.co.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQTCBBSS=MFINONOBLOENPOHELKFFHCIP; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:28:32 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDAQTCBBSS=MFINONOBLOENPOHELKFFHCIP; path=/..X-Powered-By: ASP.NET.
.Date: Sun, 06 Mar 2016 07:28:32 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Download/WinCtrProc.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: micronames.co.kr
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Mar 2016 10:34:41 GMT
Accept-Ranges: bytes
ETag: "90486a4b3875d11:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:48 GMT
Content-Length: 870192
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:.
.,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L......V......
...............P.......w............@..........................`......
&l..........................................(....P..h............0..0.
..................................................0... ...............
.....................text............................... ..`.data...H5
[email protected]....... ..............@..@
l.[J............MSVBVM60.DLL..........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Config/AdNw/StakePsList.asp?uno=3199 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: itemprice.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDASRAADTT=HAGCPMOBIIJCLDAGJPKFPFPD; path=/
X-Powered-By: ASP.NET
Date: Sun, 06 Mar 2016 07:27:18 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDASRAADTT=HAGCPMOBIIJCLDAGJPKFPFPD; path=/..X-Powered-By: ASP.NET.
.Date: Sun, 06 Mar 2016 07:27:18 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>

The not-a-virus connects to the servers at the folowing location(s):

WinCtrProc.exe_320:

.text
`.data
.rsrc
MSVBVM60.DLL
InetCtlsObjects.Inet
WebBrowser1
SHDocVwCtl.WebBrowser
vb6ko.dll
MSINET.OCX
ieframe.dll
WebBrowser
KeywordForm
GetKeyState
shell32.dll
ShellExecuteA
EnumWindows
GetAsyncKeyState
WSOCK32.DLL
iphlpapi.dll
VBA6.DLL
GetWindowsDirectoryA
UpdateLayeredWindows
User32.DLL
kernel32.dll
WinExec
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
C:\Windows\system32\msvbvm60.dll\3
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\system32\MSINET.oca
zdWebBrowser1
C:\Windows\System32\ieframe.oca
vb6stkit.dll
GetKeyboardState
URLEncode
2008:02:21 11:10:24
urlTEXT
MsgeTEXT
HhXXp://ns.adobe.com/xap/1.0/
<x:xapmeta xmlns:x='adobe:ns:meta/' x:xaptk='XMP toolkit 2.8.2-33, framework 1.5'>
<rdf:RDF xmlns:rdf='hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='hXXp://ns.adobe.com/iX/1.0/'>
<rdf:Description about='uuid:25326700-e021-11dc-8e7f-a474304460f4'
xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>
<xapMM:DocumentID>adobe:docid:photoshop:253266fe-e021-11dc-8e7f-a474304460f4</xapMM:DocumentID>
hXXp:///
@isplay;0System.DateM
\WinCtrPrc(20140224)\WinCtrProc_Random\MainControlProc.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
Error opening key.
Error getting subkey value.
chrome
mozilla
firefox
opera
- chrome
keyboard
netpia.com
2.asp
3.asp
/config/FormActive_Distinct.asp?uno=
&url=
&keyword=
&keyno=
/config/Formactive_Distinct.asp?uno=
/config/formactive.asp?uno=
&kind=PORTAL
/config/FormActive.asp?uno=
&kind=KEYWORD
microsoft.com
st.asp?uno=
/Config/FormLocation.asp
/Config/AdNw/FcPimSLab.asp
/Config/newConf/UCg_LPrMLab.asp?user_no=
/Config/TransSiteString.asp?nation=
/Config/FileNameDataMicro.asp
SetDownValue.asp?uno=
/Config/MakeIcon.asp?uno=
/Config/MakeStartPage.asp?uno=
/Config/MakeSearchPage.asp?uno=
/Config/MakeProgram.asp?uno=
ERROR_URL
/Config/Pop_Key_MainPlatinum.asp?uno=
/Config/Pop_Key_MainDistinct.asp?uno=
&distinct=keyword
error_url
hXXp://VVV.naver.com
InternetExplorer.Application
/advertisebanner/keyword/
/advertisedistinct/keyword/
/Config/GuideSiteString.asp?p=
.dictionary
dic.daum
dic.naver
dic.nate
http:
https:
&key=
?keyword=
?key=
keyword=
로
을
e.asp?p=
[KEYWORD]
.asp?p=
roLab.asp?p=
Code.asp?p=
hXXp://
hXXps://
ode.asp?uno=
/Config/KeySt
ab.asp?p=
/Config/SiteLink_Code.asp?uno=
/Config/ConvertLanguagemicrOLAb.asp?p=
/Config/OvertureDataConnect.asp?p=&uno=
/Config/RankeyLink_Code.asp?uno=
/advertisebanner/keyword
/advertisedistinct/keyword
JOIN
KEYWORD
\Internet Explorer\iexplore.exe
WScript.Shell
%Program Files%\Internet Explorer\iexplore.exe
/Config/KeyStringmicrOLAbPop.asp?p=
wscript.shell
/Config/GolbalString.asp?p=
/Config/TransSiteString_Commit.asp?site=
/Config/FindBrowserCode.asp?p=
PORTUGAL
from portugal
to portugal
/Config/UrlEncodeDecode.asp?q=
/Config/ServerList.asp?uno=
[keywordpop]
/Config/TargetDataConnect.asp?p=&uno=
[/adminkeywordpop]
software\microsoft\windows\currentversion\run
%Program Files%\micrOLAb\SearchEngin\LanguageConvert
/config/keyword_platinum.asp?user_no=
[adminkeywordpop]
[/keywordpop]
/Config/ipget.asp?kn=every&usd=
/Config/ipget.asp?kn=first&usd=
hXXp://koreaserver.kr
hXXp://domainserver.co.kr
hXXp://hostserver.kr
hXXp://mainserver.kr
hXXp://makevalue.com
hXXp://duzip.com
hXXp://maketop.kr
hXXp://itemprice.kr
2000-10-01
Software\Microsoft\Windows\currentversion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\Currentversion\Run
/Config/AskIP.asp
VB6KO.DLL
msvbvm60.dll
wshom.ocx
/config/KeyStringMicroLabRandom.asp?user_no=
WEBSEARCH
/config/KeyStringRandompacket.asp?user_no=
/config/KeyStringRandomPop.asp?uno=
/config/KeyStringRandom.asp?user_no=
MicroProCon.exe
MicroProProc.exe
RetainPt.exe
RetainComp.exe
in.asp?uno=
Software\Microsoft\Windows\currentversion\run
00000001
00000060
.asp?version=
.asp?uno=
nCtrProc.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WinCtrProc.exe:1076
    WinCtrProc.exe:548
    WinCtrProc.exe:1840
    WinCtrProc.exe:320
    %original file name%.exe:2040
    WinCtrCon.exe:1376
    WinCtrCon.exe:1888
    WinCtrCon.exe:1332
    irsetup.exe:652

  2. Delete the original not-a-virus file.
  3. Delete or disinfect the following files created/modified by the not-a-virus:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AskIP[1].htm (28 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (48057 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FcPimSLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WinCtrCon[1].exe (49345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FormLocation[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\TransSiteString[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\UCg_LPrMLab[1].htm (409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\StakePsList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FcPimSLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\StakePsList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FormLocation[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Uninstall_Ctr[1].exe (21953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\keyword_platinum[1].htm (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\TransSiteString[1].htm (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FormLocation[2].htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AskIP[1].htm (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FcPimSLab[2].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FormLocation[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\TransSiteString[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\UCg_LPrMLab[2].htm (409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\UCg_LPrMLab[1].htm (409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\UCg_LPrMLab[3].htm (409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\TransSiteString[2].htm (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WinCtrCon[1].exe (49345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AskIP[2].htm (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FcPimSLab[3].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\keyword_platinum[2].htm (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\StakePsList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AskIP[2].htm (28 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (21953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\keyword_platinum[1].htm (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ProgramUpdateLab[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FcTimeLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sTakeList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FcTimeLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sTakeList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ProgramUpdateLab[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ProgramUpdateLab[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (424825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sTakeList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FcTimeLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WinCtrProc[1].exe (424825 bytes)
    %System%\VB6KO.DLL (2712 bytes)
    %System%\MSINET.OCX (2784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -jDulyJs"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -jDulyJs"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -gArhvG"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -gArhvG"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -fAqhvF"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -fAqhvF"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -hCsjxH"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -hCsjxH"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -SndUi"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "\.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "\.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrProc.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrCon.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now