Gen.Worm.Zomon.1_e37418fd83

by malwarelabrobot on March 6th, 2014 in Malware Descriptions.

Gen:Worm.Zomon.1 (BitDefender), Gen:Worm.Zomon.1 (B) (Emsisoft), Trojan.Crypt (Ikarus), Gen:Worm.Zomon.1 (FSecure), Win32/Zbot.W (AVG), Win32:Torbot [Trj] (Avast), Gen:Worm.Zomon.1 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Trojan.Win32.Swrort.3.FD, BackdoorCaphaw_QKKBAL.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanPSWZbot.YR, PUPTorClient.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, PUP, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Relationships
Map
Strings from Dumps
Removals

MD5: e37418fd833558582ca79782b65c8043
SHA1: d27361559634e992483eead4334c8e9de0b856e3
SHA256: de3f8ac526f4eefe02920b4d8489a522e9d2875224f7257a74e81a3d7dd18f22
SSDeep: 49152:V54UJx8jfVmXR9XDceaJfs/ODT7lpG5aspvEnbv6i/t:jKmXbD4RsyT7lo5asxybyi
Size: 10713964 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-03 17:13:43
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

ygvye.exe:1396
iexplore.exe:1216
iexplore.exe:1972
iexplore.exe:1256
iexplore.exe:280
%original file name%.exe:504

The Trojan injects its code into the following process(es):

iexplore.exe:392
iexplore.exe:184
ctfmon.exe:1224

File activity

The process iexplore.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OpenCL.dll (51200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process iexplore.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\tor\state.tmp (222 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.tmp.tmp (5701426 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-consensus.tmp (1243068 bytes)
%Documents and Settings%\%current user%\Application Data\tor\hidden_service\hostname.tmp (24 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.new (1432478 bytes)
%Documents and Settings%\%current user%\Application Data\tor\hidden_service\private_key.tmp (902 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-certs.tmp (18536 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors (0 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.new (0 bytes)

The process iexplore.exe:392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.tmp.tmp (22777909 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.new (5368461 bytes)
%Documents and Settings%\%current user%\Application Data\tor\hidden_service\hostname.tmp (24 bytes)
%Documents and Settings%\%current user%\Application Data\tor\state.tmp (817 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\tor\hidden_service\hostname (0 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors (0 bytes)
%Documents and Settings%\%current user%\Application Data\tor\state (0 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.new (0 bytes)

The process iexplore.exe:184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OpenCL.dll (51200 bytes)

Registry activity

The process ygvye.exe:1396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 9F AC 13 1E 4C 05 D3 3A 90 53 0E 1F A3 65 28"

The process iexplore.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A EF 4D 11 D9 A4 72 E1 B3 0F D4 FC 54 95 FF A6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process iexplore.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 E2 27 9A E7 FE F5 48 58 BA 56 94 57 F5 03 B0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

The process iexplore.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 66 B7 14 79 81 42 6F AE 25 B4 24 16 52 97 AF"

[HKCU\Software\Microsoft\Qyvoer]
"Osreubeq" = "3D 66 C2 93 72 1D 44 C9 DB FD CD BA 43 B4 0C AC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

The process iexplore.exe:184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Qyvoer]
"Osreubeq" = "3D 66 C2 93 72 1D 44 C9 DB FD CD BA 43 B4 0C AC"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 67 A7 2C AA BB 57 A4 17 3A 8D 66 F2 F0 5C 9A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 4D 2E 8A 4C 33 8C 48 05 BD C7 5D A6 85 DD 97"

The process ctfmon.exe:1224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Qyvoer]
"Osreubeq" = "3D 66 C2 93 72 1D 44 C9 DB FD CD BA 43 B4 0C AC"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL IP
hxxp://checkip.dyndns.com/
checkip.dyndns.org 91.198.22.70


IDS verdicts

Dropped PE files

MD5 File path
efdd49b208b0b9706536e4637349f483 c:\Documents and Settings\test\Application Data\Arcii\ygvye.exe
9b47b29d863839e0c4247a9f607b936b c:\Documents and Settings\test\Local Settings\Temp\OpenCL.dll


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

Company Name: Microsoft
Product Name: Windows
Product Version: 1
Legal Copyright: Copyright Microsoft
Legal Trademarks:
Original Filename: windows.exe
Internal Name: Windows
File Version: 1
File Description: Windows
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1690459 1691648 4.24775 917d5481d1aeef3f8549866c1a9525d5
.rdata 1695744 163386 163840 3.8586 326b8be1b450bec3421900fcfa3ff971
.data 1859584 1112252 1105920 4.09676 2102f463e1c623b09e273be8fa21ea74
.rsrc 2973696 31280 32768 3.6168 6e7e2804eaa0190d318de573ce65076a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

.text
`.rdata
@.data
.rsrc
TT T!"TT#$TTTT%&'TTT(T)*T+TTT,-.TT/0123TTTTTT4TTTTTTT5TTTTTT6789:;TTTTTTTT?@ABCDTTTTETTTTFTTTTTTGTTHITTTTTJKTTTLLTTMTTTTTTTTTNTTOTPQRS
!"FFF#F$F%FF&F'()FFFFFFFFFFFFF*FFFFFFFFFFFF+FF,-FFFFFFFFFFF.F/FFFFFFFFFFFFFF01FF234FF56789FFFFFFFF:;FF<=>FF?FFFFF@ABFFFFFCFDFFFFFEm
%u$Vj%
t.Gj:W
127.0.0.1
http://%s/test.txt
http://%s:%d/%s
iplist.txt
PRIVMSG
NICK
JOIN
127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 www.sophos.com
[HTTPBW] Stopping %s
[HTTPBW] Started raping %s
socks4a://127.0.0.1:9050
%s :%s
%s %s :%s
%s %s %s
%s %s "" "lo" :%s
%s %s
[IDLE] I'm idle for %d seconds.
[VSPOST] Parameters: [url] [post]

[VS] Parameters: [url]
[HTTPBW] Failed to start!, missing parameters: [URL] [SIZE] [TIME]
[SL] Failed to start!, missing parameters: [DNS] [PORT] [HOLD_DELAY] [TIME in sec] [SOCKETS]
[UDP] Failed to start!, missing parameters: [HOST] [PORT] [MIN_SIZE in bytes] [MAX_SIZE in bytes] [DELAY](lower for more traffic) [DURATION in sec]
[SYN] Failed to start!, missing parameters: [HOST] [PORT] [WAITTIME in msec] [DURATION in sec]
[D&E MEM] Failed to download: %d
[D&E MEM] Parameters: [URL]
[D&E] Failed 2 Execute! [ A.V DETECTION ].
[D&E] Downloaded & Executed!
[D&E] Parameters: [URL]
[HASHES] %s MH/s
[AV: %s] [GPU: %s] [MEM: %d MB] [HASHES: %s MH/s] [IDLE: %s]
%d sec
%d min
[AV] %S
[HS] %s
[IP] %s
[HW] GPU: %s MEM: %d MB
[VER] %s
http://checkip.dyndns.org/
dnsapi.dll
ntdll.dll
reverseproxy.txt
[%s-%s-%s]%s
[SL] Stopping %s
[SL] Started attacking %s
GET / HTTP/1.1
Host: %s
User-Agent: %s
Content-Length: %d
[SYN] Stopping %s
[SYN] Started flooding %s
O[UDP] Stopping to %s, sent %.1f GB
>[UDP] Stopping to %s, sent %.1f MB
>[UDP] Stopping to %s, sent %.1f kB
P?[UDP] Started flooding %s
6ceyqong6nxy7hwp.onion
owbm3sjqdnndmydf.onion
4njzp3wzi6leo772.onion
qdzjxwujdtxrjkrz.onion
x3wyzqg6cfbqrwht.onion
niazgxzlrbpevgvq.onion
ua4ttfm47jt32igm.onion
6tkpktox73usm5vq.onion
4bx2tfgsctov65ch.onion
gpt2u5hhaqvmnwhr.onion
7wuwk3aybq5z73m7.onion
742yhnr32ntzhx3f.onion
f2ylgv2jochpzm4c.onion
6m7m4bsdbzsflego.onion
xvauhzlpkirnzghg.onion
h266x4kmvmpdfalv.onion
jr6t4gi4k2vpry5c.onion
ceif2rmdoput3wjh.onion
uzvyltfdj37rhqfy.onion
uy5t7cus7dptkchs.onion
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)
Mozilla/4.0 (compatible; U; MSIE 9.0; WIndows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; FDM; .NET4.0C; .NET4.0E; chromeframe/11.0.696.57)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; InfoPath.3; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; FDM; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; Tablet PC 2.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; AskTB5.5)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 7.1; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 9.0; Windows 98; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; .NET4.0C; .NE)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)
Mozilla/5.0 ( ; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/13.0.782.215)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET CLR 1.1.4322; .NET4.0C; Tablet PC 2.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; yie8)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; Tablet PC 2.0; InfoPath.3; .NET4.0C; .NET4.0E)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; chromeframe/12.0.742.112)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Zune 4.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)
Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 6.2; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a2) Gecko/20111101 Firefox/9.0a2
Mozilla/5.0 (Macintosh; I; Intel Mac OS X 11_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Firefox/10.0a4
Mozilla/6.0 (Macintosh; I; Intel Mac OS X 11_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Firefox/10.0a4
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.6 (KHTML, like Gecko) Chrome/16.0.897.0 Safari/535.6
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7
Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7xs5D9rRDFpg2g
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Mozilla/5.0 (X11; CrOS i686 1193.158.0) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.8 (KHTML, like Gecko) Chrome/17.0.940.0 Safari/535.8
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.12 Safari/535.11
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0
[VS] Visited %s
[VSPOST] Visited %s
Could not resolve %s: %s; %s
getaddrinfo() failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
%s:%d
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
%255[^:]:%d:%255s
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode domains
Protocol %s not supported or disabled in libcurl
http_proxy
%255[^:@]:%255[^@]
:%255[^@]
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
ftp@example.com
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
malformed
:]://%[^
%15[^:]:%[^
Re-using existing connection! (#%ld) with host %s
%s://%s
Connection #%ld to host %s left intact
operation aborted by callback
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
No URL set!
%15[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
%1023[^;
=]=%4999[^;
%s%s%s
# Fatal libcurl error
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
WARNING: failed to save cookies in %s
[%s %s %s]
Send failure: %s
Recv failure: %s
Failed to set SO_KEEPALIVE on fd %d
bind failed with errno %d: %s
Local port: %hu
Couldn't bind to '%s'
Local Interface %s is ip %s using address family %i
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Name '%s' family %i resolved to '%s' family %i
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
Failed connect to %s:%ld; %s
Unable to parse FTP file list
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Issuer check against peer certificate failed
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: Accepting server connect has timed out
FTP: The server failed to connect to data port
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
Unsupported protocol
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
Internal error removing splay node = %d
Internal error clearing splay node = %d
%d.%d.%d.%d
%s%s%s%s%s%s
Session: %s
%s %s RTSP/1.0
Range: %s
Referer: %s
Accept-Encoding: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Transport: %s
Transport:
Refusing to issue an RTSP request [%s] without a session ID.
Got RTSP Session ID Line [%s], but wanted ID [%s]
Unable to read the CSeq header: [%s]
SMTP
EHLO %s
HELO %s
No known authentication mechanisms supported!
AUTH %s %s
LOGIN
AUTH %s
Got unexpected smtp-server response: %d
Remote access denied: %d
Access denied: %d
smtp
Authentication failed: %d
MAIL FROM:%s SIZE=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s
RCPT TO:<%s>
RCPT TO:%s
MAIL failed: %d
RCPT failed: %d
SMTPS not supported!
STARTTLS denied. %c
USER %s
APOP %s %s
No known SASL authentication mechanisms supported!
No known authentication types supported!
Access denied. %c
PASS %s
POP3S not supported!
%s LOGIN %s %s
%s STARTTLS
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s LOGOUT
IMAPS not supported!
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
invalid tsize -:%s:- value in OACK packet
%s (%ld)
blksize is smaller than min supported
%s (%d)
blksize is larger than max supported
%s (%d) %s (%d)
got option=(%s) value=(%s)
tftp_rx: internal error
Timeout waiting for block %d ACK. Retries = %d
Received unexpected DATA packet block %d, expecting block %d
tftp_tx: internal error, event: %i
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
bind() failed; %s
tftp_send_first: internal error
%s%c%s%c
TFTP finished
TFTP response timeout
Can't get the size of %s
Can't open %s for writing
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT
Couldn't open file %s
CLIENT libcurl 7.27.0
MATCH %s %s %s
DEFINE %s %s
insufficient winsock version to support telnet
WSAStartup failed (%d)
%s %d %d
%s %s %d
%s IAC %d
%s IAC %s
Sending data failed (%d)
%d (unknown)
%s (unsupported)
%s IAC SB
Unknown telnet option %s
Syntax error in telnet option: %s
%127[^= ]%*[ =]%255s
USER,%s
%c%c%c%c%s%c%c
%c%s%c%s
%127[^,],%127s
%c%c%c%c
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
PORT
FTP response aborted due to select/poll error: %d
FTP response timeout
Failure sending PORT command: %s
,%d,%d
Failure sending EPRT command: %s
%s |%d|%s|%hu|
bind() failed, we ran out of ports!
bind(port=%hu) failed: %s
bind(port=%hu) on non-local address failed: %s
socket failure: %s
failed to resolve the address provided to PORT: %s
getsockname() failed: %s
Connect data stream passively
PRET RETR %s
PRET STOR %s
PRET %s
REST %d
SIZE %s
STOR %s
APPE %s
Failed to do PORT
Got a %03d response code instead of the assumed 200
RETR %s
ftp server doesn't support SIZE
PBSZ %d
Access denied: %03d
ACCT %s
ACCT rejected by server: %03d
TYPE %c
Connecting to %s (%s) port %d
Failure sending QUIT command: %s
Uploading to a URL without a file name!
FTPS not supported!
Preparing for accepting server on data port
MDTM %s
Bad PASV/EPSV response: %03d
Can't resolve new host %s:%hu
Can't resolve proxy host %s:%hu
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
%c%c%c%u%c
%04d%02d%02d %02d:%02d:%02d GMT
%04d%02d%02d%02d%02d%02d
unsupported MDTM reply format
Failed FTP upload: %0d
RETR response: %03d
QUOT string not accepted: %s
Wildcard - "%s" skipped by user
Wildcard - START of "%s"
CWD %s
PRET command not accepted: %03d
Failed to MKD dir: %03d
MKD %s
QUOT command failed with %03d
Entry path is '%s'
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
Got a %03d ftp-server response when 220 was expected
server did not report OK, got %d
Failure sending ABOR command: %s
Remembering we are in dir "%s"
%sAuthorization: Basic %s
%s:%s
%s auth using %s with user '%s'
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
The requested URL returned error: %s
If-Unmodified-Since: %s
Last-Modified: %s
If-Modified-Since: %s
%s, %02d %s %4d %02d:%02d:%02d GMT
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Failed sending HTTP request
%s%s=%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
ftp://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
ftp://
Host: %s%s%s:%hu
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
HTTP error before end of send, stop sending
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
RTSP/%d.%d %3d
HTTP %3d
HTTP/%d.%d %3d
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
SOCKS4%s request granted.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
Received HTTP code %d from proxy after CONNECT
TUNNEL_STATE switched to: %d
HTTP/1.%d %d
CONNECT %s HTTP/%s
%s%s%s%s
%s%s%s:%hu
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
password
login
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%s, algorithm="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"
%s:%s:%08x:%s:%s:%s
%s:%.*s
%s:%s:%s
%02d:%02d
%02d:%02d:%02d
%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
12345678
00000001
0123456789-
%c%c==
%c%c%c=
.jpeg
.html
--%s--
couldn't open file "%s"
Content-Type: %s
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
Visual C++ CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
GetProcessHeap
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
WS2_32.dll
URLDownloadToFileW
urlmon.dll
HttpQueryInfoA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
PeekNamedPipe
GetCPInfo
admin.invalid
193.138.244.231
ip.external
join
download.mem
udp.stop
syn.stop
slowloris.stop
http.bwrape
http.bwrape.stop
visit.post
zc%C1
H.FT>u
.OCHl>
L1%Fe
q.lk6g
.AsGA
{.tQ,
6%x9%
^k.qQ
s6v5C.Ot
S ;xR%C
%2Cyv
H2G2x.OM
;O.KZ
(%CnXl
@qh%3uk
r5SSHT
S%D2}
'-Z}+
Yz%x7_
Fw.Ve f4o%D2d
4;2%s
?S.Jv8
KERNEL32.DLL
ADVAPI32.DLL
msvcrt.dll
OpenCL.dll
.file
crt1.c
.data
cygming-crtbegin.c
.rdata
_set_url
sha256_sse2_i386.c.text
curl_rand.c
url.c
_Curl_doD
curl_addrinfo.c
http.c
ftp.c
_ftp_do
tftp.c
_tftp_rx
_tftp_txX
_tftp_do
smtp.c
_smtp_doD
http_digest.c
http_proxy.c
http_chunks.c
curl_memrchr.c
ftplistparser.c
curl_sasl.c
curl_gethostname.c
curl_fnmatch.c


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ygvye.exe:1396
    iexplore.exe:1216
    iexplore.exe:1972
    iexplore.exe:1256
    iexplore.exe:280
    %original file name%.exe:504

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OpenCL.dll (51200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\tor\state.tmp (222 bytes)
    %Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.tmp.tmp (5701426 bytes)
    %Documents and Settings%\%current user%\Application Data\tor\cached-consensus.tmp (1243068 bytes)
    %Documents and Settings%\%current user%\Application Data\tor\hidden_service\hostname.tmp (24 bytes)
    %Documents and Settings%\%current user%\Application Data\tor\cached-descriptors.new (1432478 bytes)
    %Documents and Settings%\%current user%\Application Data\tor\hidden_service\private_key.tmp (902 bytes)
    %Documents and Settings%\%current user%\Application Data\tor\cached-certs.tmp (18536 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.