Alex106 Posted May 14, 2015 Share Posted May 14, 2015 I did a scan with AVG and Malwarebytes and they found nothing Then i searched in regedit and this is the situation I'm fine? Link to comment Share on other sites More sharing options...
iOnlyEatCops Posted May 14, 2015 Share Posted May 14, 2015 You aren't supposed to remove userinit.exe from Registry. https://technet.microsoft.com/en-us/library/cc939862.aspx So am I clean? This is in my Registry: Link to comment Share on other sites More sharing options...
ZZCOOL Posted May 14, 2015 Share Posted May 14, 2015 PLEASE ANSWER, IF YOU CAN! I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC. I only have 2 important questions: 1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can 2- If that's the case, can the virus spread to other drives in the computer. Anyway i find all the thread confusing. If i wanted to check if i'm infected (for curiosity), how can i do it? I have avast, but i can install an other antivirus if needed. Thanks...i'm freaking out...really worried!!!!!!!! you can be absolutely sure that formating is going to erase it Ok thanks. How to check for its presence? Need to imput some special type of scan to my antivirus? I also heard you can check for the fade.exe and others on your own, but how? Simply using the "SEARCH" feature in windows? Also last question. Can i move some files from documents (GTA V SAVEGAMES) to an other drive without transporting the virus. I know...i'm a virus n00b but i'm super anxious right now :S C:\Users\yourname\AppData\Local\Temp check for the file here but i'd advise just to format and change passwords it's the safest route Link to comment Share on other sites More sharing options...
GooD-NTS Posted May 14, 2015 Share Posted May 14, 2015 Prehaps it's time for OpenIV to be open source.Yeah, it would be great to have few OpenIV clones with malware inside.No thanks. Igor Bogdanoff, RoachKiller_416, sasuke78200 and 12 others 15 Link to comment Share on other sites More sharing options...
lewistair1 Posted May 14, 2015 Share Posted May 14, 2015 I installed the planes mod and now I'm concerned. I deleted the files but have not found fade.exe nor has my anti virus picked up anything. I did find however that the registry files (userinit and shell) were there. Is there anything else i have to do to remove the virus on top of deleting trhe registry entries and the .asi file? Link to comment Share on other sites More sharing options...
loseruser Posted May 14, 2015 Share Posted May 14, 2015 Looks to be a pretty weak attempt to steal information. From what it looks like if you used the mod and never rebooted, the malicious files shouldn't be in Windows memory anymore, since the attempt to run the executable was from a lame Windows Shell hook. Pretty stupid of the mod developers, all they got out of it was their vilification from all GTA-related communities. Also assuming they weren't smart enough to hide their identity in any place the scripts were uploaded. Also that angry planes mod was really sh*tty. The effect was funny, but the programming was absolutely amateur. A lesson is learned, with a community as immature and malevolent as GTA's, you should never run obfuscated code downloaded from untrusted sources. Hopefully GTA5-Mods goes through with their plan for stricter mod reviewing. It'd be safest just to ban the upload of any pre-compiled code. Ss4gogeta0 1 Link to comment Share on other sites More sharing options...
ZZCOOL Posted May 14, 2015 Share Posted May 14, 2015 Is it possible that this malware was only added in later versions of the script? As I have the first release version and I can find no trace of the fade.exe, the game doesn't start in windowed mode, there is no csc.exe running in the background and there is no trace of the added "shell" that linked to it, as the op posted So is it possible this was added in a later version? I never had the noclip mod installed so i cant say for that. But i run the game right after i read this to make sure that it wasnt running in the background and I've had it installed and running for a few weeks now no that cannot be possible as fade.exe is in my quarantine since day 1 this was may 8th and i am usually quick with testing and showing mods vithepunisher 1 Link to comment Share on other sites More sharing options...
iOnlyEatCops Posted May 14, 2015 Share Posted May 14, 2015 So what do you do if you do find Fade in your temp? What's the best way of deleting it? Link to comment Share on other sites More sharing options...
Silent Posted May 14, 2015 Share Posted May 14, 2015 you should never run obfuscated code downloaded from untrusted sources This code is not obfuscated. Still, how would a regular user find out? Can't expect people to RE mods before they install them. Link to comment Share on other sites More sharing options...
lewistair1 Posted May 14, 2015 Share Posted May 14, 2015 Well apparently deleting userinit means you cannot logon next time you try. iloominaty 1 Link to comment Share on other sites More sharing options...
ckck Posted May 14, 2015 Share Posted May 14, 2015 I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod. I was able to do a bit more sleuthing. The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there). The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting. It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system. The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory. I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th. According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module. The target of these attacks was: http://www.twitch.tv/brianthedanishviking 77.68.209.7 Further investigation revealed the following modules active: Facebook spam/credential stealing module Twitch spam/credential stealing module Messenger.com spam/credential stealing module A Steam spamming module A Steam module that evaluates the items in your inventory and their value based on current market value A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another) A UDP flooding module There were others I hadn't deciphered and didn't see in action. All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing. It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server. Now, here's the juciest and most useful bit. The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available. Tool used to investigate: ProcessExplorer WinDbg Jetbrains DotPeek Strings (https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx) Wireshark IMPORTANT/TL;DR: If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session. p.s. I will include some strings from the modules referenced above in the following post. Kafonix, Blackbird88, dice and 30 others 33 Link to comment Share on other sites More sharing options...
Darth_Clark Posted May 14, 2015 Share Posted May 14, 2015 asi shows clean because antivirus has no signature match , so it goes into dynamic analysis i.e. emulating library execution and finds still nothing because this stuff is called only when script starts ingame (no proper environment for antivirus) , so there will be signatures in av bases soon for the downloader function inside asi , signatures for logger which it is downloading are already in 1/4 of antiviruses Is the downloader function working through GTA5.exe? If so, is it means I won't be infected if I blocked GTA5.exe in my Windows firewall since the trojan couldn't get the keylogger exe from hacker's site? I've made a cracked copy of the game for playing mods while keep my legal copy clean for playing Online. And I blocked the cracked GTA5.exe from reaching internet. I didn't found either fade.exe or init..exe, and nothing in my AV history. Link to comment Share on other sites More sharing options...
Igor Bogdanoff Posted May 14, 2015 Share Posted May 14, 2015 And now let's call spiderman to get that douchebag! Link to comment Share on other sites More sharing options...
Falenone Posted May 14, 2015 Share Posted May 14, 2015 I didn't find any trace of the fade.exe nor registry keys in my computer. I only used the noclip. I uninstalled the mod. Am I safe from it? I ran cCleaner few hous ago and I didn't know about it then. Even if the program was there and now gone, if there's no registry entries then I should be good? I use both Malwarebytes and ESET and they never alerted me. Link to comment Share on other sites More sharing options...
Silent Posted May 14, 2015 Share Posted May 14, 2015 p.s. I will include some strings from the modules referenced above in the following post. Great analysis! Thank you Link to comment Share on other sites More sharing options...
BS_BlackScout Posted May 14, 2015 Share Posted May 14, 2015 (edited) That's some real, real, real f*cked up analysis. Still, we need to go deeper xD Great job Edited May 14, 2015 by TrustedInstaller Link to comment Share on other sites More sharing options...
rappo Posted May 14, 2015 Share Posted May 14, 2015 (edited) p.s. I will include some strings from the modules referenced above in the following post. @ckck Thank you for that information - I can confirm that both Angry Planes and No Clip were uploaded by IP addresses from Denmark. Edited May 14, 2015 by rappo Link to comment Share on other sites More sharing options...
iOnlyEatCops Posted May 14, 2015 Share Posted May 14, 2015 Deleted the folder that Fade.exe was in. Is my registry good or do I need to delete anything? Link to comment Share on other sites More sharing options...
MarshallRawR Posted May 14, 2015 Share Posted May 14, 2015 IMPORTANT/TL;DR:If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. If my antivirus picked it up before all my password changes, am I fine? Link to comment Share on other sites More sharing options...
Alex106 Posted May 14, 2015 Share Posted May 14, 2015 I did a scan with AVG and Malwarebytes and they found nothing Then i searched in regedit and this is the situation I'm fine? Link to comment Share on other sites More sharing options...
ZZCOOL Posted May 14, 2015 Share Posted May 14, 2015 I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod. I was able to do a bit more sleuthing. The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there). The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting. It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system. The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory. I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th. According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module. The target of these attacks was: http://www.twitch.tv/brianthedanishviking 77.68.209.7 Further investigation revealed the following modules active: Facebook spam/credential stealing module Twitch spam/credential stealing module Messenger.com spam/credential stealing module A Steam spamming module A Steam module that evaluates the items in your inventory and their value based on current market value A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another) A UDP flooding module There were others I hadn't deciphered and didn't see in action. All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing. It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server. Now, here's the juciest and most useful bit. The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available. Tool used to investigate: ProcessExplorer WinDbg Jetbrains DotPeek Strings (https://technet.microsoft.com/en-us/sysinternals/bb897439.aspx) Wireshark IMPORTANT/TL;DR: If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session. p.s. I will include some strings from the modules referenced above in the following post. what is fade.exe was detected and quarantined Link to comment Share on other sites More sharing options...
LoneMerc Posted May 14, 2015 Share Posted May 14, 2015 Epic analysis. How do we know whats wrong in the registry and what to remove? Link to comment Share on other sites More sharing options...
rappo Posted May 14, 2015 Share Posted May 14, 2015 Was someone using us to get more visitors to their Twitch page? TheUnit 1 Link to comment Share on other sites More sharing options...
Cysiek Posted May 14, 2015 Share Posted May 14, 2015 Delete all files in this folder C\Users\YOU\Appdata\Local\Temp and problem solved. Now scan your pc. Link to comment Share on other sites More sharing options...
Drkz Posted May 14, 2015 Share Posted May 14, 2015 (edited) According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine. Edited May 14, 2015 by Drkz Link to comment Share on other sites More sharing options...
ZZCOOL Posted May 14, 2015 Share Posted May 14, 2015 (edited) Was someone using us to get more visitors to their Twitch page? i would think someone was using people to flood a twitch page to attack someones stream Edited May 14, 2015 by ZZCOOL Link to comment Share on other sites More sharing options...
jippa_lippa Posted May 14, 2015 Share Posted May 14, 2015 (edited) Fellas, regarding the NOCLIP MOD only (i didn't use the other one) something doesn't feel right. Is the mod ITSELF infected or is there a chance only the one uploaded to GTA5 MODS being infected? I downloaded mine from here: www.gtaall.com/gta-5/mods/60829-noclip.html And i don't have any "fade.exe" in my temp folder By the way i'm super pissed, because the noclip mod is actually very useful for recording videos!!! Might we see it one day in the Official Native Trainer? Edited May 14, 2015 by jippa_lippa Link to comment Share on other sites More sharing options...
Zeynohh Posted May 14, 2015 Share Posted May 14, 2015 According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine. Can you tell me exactly which ones I shall remove? Link to comment Share on other sites More sharing options...
LoneMerc Posted May 14, 2015 Share Posted May 14, 2015 (edited) According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine. What should we look for in the registry? I've searched for both the types of .exe and found nothing, is there anything we should be looking out for? I'd like to be 1000% in knowing it's not running/removed + clean from the reg before changing all my passwords for obvious reasons Does anyone else have an idea if this would steal PuTTY sessions?? I've been SSH'd on my servers/clients servers all day with bloody work... Edited May 14, 2015 by LoneMerc Link to comment Share on other sites More sharing options...
ckck Posted May 14, 2015 Share Posted May 14, 2015 Strings from one of the running Twitch module: <Module> yuilgy0y.dll EntryPoint Bot mscorlib System Object _userAgentArray _targetChannel Main .ctor System.Net CookieContainer _cookieContainer _channel _randomUrl _userAgent Setup Run Get channel userAgent url System.Runtime.CompilerServices CompilationRelaxationsAttribute RuntimeCompatibilityAttribute yuilgy0y Random Next System.Threading ThreadStart Thread Start .cctor String ToLower Concat Console WriteLine Replace System.Text.RegularExpressions Regex Match Group get_Success GroupCollection get_Groups get_Item Capture get_Value System.Web HttpUtility UrlEncode RegexOptions MatchCollection Matches get_Count Int32 Sleep Contains WebRequest Create HttpWebRequest set_CookieContainer set_Timeout set_ReadWriteTimeout set_UserAgent WebHeaderCollection get_Headers System.Collections.Specialized NameValueCollection Add set_Referer WebResponse GetResponse HttpWebResponse System.IO Stream GetResponseStream StreamReader TextReader ReadToEnd Setup failed Setup OK Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1 Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 brianthedanishviking http://api.twitch.tv/api/channels/ /access_token No access token response "token":"(.*?)","sig":"(.*?)", No token match http://usher.twitch.tv/api/channel/hls/ .m3u8?token= &sig= No select response http(s)?://([\w+?\.\w+])+([a-zA-Z0-9\~\!\@\#\$\%\^\&\*\(\)_\-\=\+\\\/\?\.\:\;\'\,]*)? No URLs {0} URLs Update #EXT-X-ENDLIST X-Requested-With ShockwaveFlash/16.0.0.235 http://www.twitch.tv/ <X W z\V WrapNonExceptionThrows _CorDllMain mscoree.dll VS_VERSION_INFO VarFileInfo Translation StringFileInfo 000004b0 FileDescription FileVersion 0.0.0.0 InternalName yuilgy0y.dll LegalCopyright OriginalFilename yuilgy0y.dll ProductVersion 0.0.0.0 Assembly Version 0.0.0.0 !This program cannot be run in DOS mode. aOU .text `.rsrc @.reloc p*r *BSJB v4.0.30319 #Strings #US #GUID #Blob Strings from the running Steam Inventory evaluation module: <Module> 02bjg5dv.dll EntryPoint Response MemoryReader ByteArrayRocks mscorlib System Object Main Main2 Get .ctor System.Net HttpWebResponse HttpResponse ResponseString BlockSize CloseHandle OpenProcess ReadProcessMemory _processId _handle OpenHandle System.Collections.Generic List`1 FindPattern Empty Locate IsMatch IsEmptyLocate url cookie hObject processAccess bInheritHandle processId hProcess lpBaseAddress buffer System.Runtime.InteropServices InAttribute OutAttribute size lpNumberOfBytesRead MemoryAddress bytesToRead bytesRead pattern self candidate array position System.Runtime.CompilerServices CompilationRelaxationsAttribute RuntimeCompatibilityAttribute 02bjg5dv ToString Exception System.Diagnostics Process GetProcessesByName System.Text Encoding get_UTF8 GetBytes get_Id Enumerator GetEnumerator get_Current IntPtr op_Explicit GetString Contains Add MoveNext IDisposable Dispose get_Count String Concat System.Text.RegularExpressions Regex Match Group get_Success GroupCollection get_Groups get_Item Capture get_Value Kill System.Threading Thread Sleep op_Inequality op_Equality MatchCollection Matches Int32 System.Collections IEnumerator WebRequest Create HttpWebRequest WebHeaderCollection get_Headers HttpRequestHeader Set WebResponse GetResponse System.IO Stream GetResponseStream StreamReader TextReader ReadToEnd Close DllImportAttribute kernel32.dll Zero Byte ToInt32 ToArray .cctor steamwebhelper No process found 7656119??????????%7c%7c No logins found http://steamcommunity.com/home steamLogin= g_steamID = "(.*?)"; http://steamcommunity.com/profiles/ /inventory/json/730/2/ No inventory "market_name":"(.*?)","name_color":"(.*?)","background_color":"(.*?)","type":"(.*?)","tradable":(.*?), z\V WrapNonExceptionThrows _CorDllMain mscoree.dll VS_VERSION_INFO VarFileInfo Translation StringFileInfo 000004b0 FileDescription FileVersion 0.0.0.0 InternalName 02bjg5dv.dll LegalCopyright OriginalFilename 02bjg5dv.dll ProductVersion 0.0.0.0 Assembly Version Strings from the Facebook information stealing module: wpcdrdeu.dll EntryPoint CookieHelper CryptProtectPromptFlags CRYPTPROTECT_PROMPTSTRUCT DATA_BLOB SQLiteHandler record_header_field sqlite_master_entry table_entry mscorlib System Object Enum ValueType _currentCookie Main HttpGet .ctor System.Collections.Generic List`1 GetCookieList TryReadCookies CryptUnprotectData Decrypt value__ CRYPTPROTECT_PROMPT_ON_UNPROTECT CRYPTPROTECT_PROMPT_ON_PROTECT cbSize dwPromptFlags hwndApp szPrompt cbData pbData db_bytes encoding field_names master_table_entries page_size SQLDataTypeSize table_entries ConvertToInteger CVL GetRowCount GetTableNames GetValue GVL IsOdd ReadMasterTable ReadTable ReadTableFromOffset size type row_id item_type item_name astable_name root_num sql_statement content url allowedNames browser file cookieList pDataIn szDataDescr pOptionalEntropy pvReserved pPromptStruct dwFlags pDataOut Datas baseName startIndex Size endIndex row_num field value Offset TableName System.Runtime.CompilerServices CompilationRelaxationsAttribute RuntimeCompatibilityAttribute wpcdrdeu Add System.Text StringBuilder Enumerator GetEnumerator get_Current String IsNullOrEmpty System.Text.RegularExpressions Regex MatchCollection Matches get_Count Match get_Item GroupCollection get_Groups Group Capture get_Value Replace AppendFormat MoveNext IDisposable Dispose ToString Exception System.Net WebRequest Create HttpWebRequest set_Method set_AllowAutoRedirect WebHeaderCollection get_Headers System.Collections.Specialized NameValueCollection WebResponse GetResponse HttpWebResponse System.IO Stream GetResponseStream Encoding get_UTF8 StreamReader TextReader ReadToEnd .cctor Environment SpecialFolder GetFolderPath Path Combine Directory Exists DirectoryInfo GetDirectories FileSystemInfo get_FullName File Console WriteLine Empty ToLower Contains get_Length get_Default GetBytes System.Runtime.InteropServices DllImportAttribute Crypt32.dll GCHandle GCHandleType Alloc AddrOfPinnedObject Free IntPtr Zero Byte Marshal Copy GetString Substring FlagsAttribute StructLayoutAttribute LayoutKind <PrivateImplementationDetails>{8BBC7D72-C61E-48B2-B139-18F84516FABA} CompilerGeneratedAttribute __StaticArrayInitTypeSize=10 $$method0x6000009-1 RuntimeHelpers Array RuntimeFieldHandle InitializeArray Microsoft.VisualBasic FileSystem OpenMode OpenAccess OpenShare FileOpen LOF Strings Space FileGet Int32 FileClose CompareTo Decimal Compare BitConverter ToInt64 op_Equality Microsoft.VisualBasic.CompilerServices Utils CopyArray Convert ToInt32 Subtract ToUInt16 ToUInt64 Int64 Math Round get_Unicode get_BigEndianUnicode Multiply IndexOf Char Split LTrim Conversions c_user https://m.facebook.com/settings/account/ <br /><span class="(.*?)">(.*?)</span> @ [{0}] [Alias: {1}] [Email: {2}] [Cookies: {3}] [Language: {4}] FacebookData GET Cookie Google Chrome User Data Cookies Mozilla Firefox Profiles cookies.sqlite moz_cookies cookies host host_key .facebook.com name value encrypted_value {0}={1}; SQLite format 3 Not a valid SQLite 3 Database File Auto-vacuum capable database is not supported table UNIQUE z\V WrapNonExceptionThrows _CorDllMain mscoree.dll VS_VERSION_INFO VarFileInfo Translation StringFileInfo 000004b0 FileDescription FileVersion 0.0.0.0 InternalName wpcdrdeu.dll LegalCopyright OriginalFilename wpcdrdeu.dll ProductVersion 0.0.0.0 Assembly Version 0.0.0.0 If you have any questions or requests let me know and I'll see if I can figure out more. I don't have a ton of time to spend on it as my lunch break is over. RoachKiller_416, Silent, DWz and 7 others 10 Link to comment Share on other sites More sharing options...
Recommended Posts