HEUR:Virus.Win32.Generic (Kaspersky), Win32.Runouce.B@mm (B) (Emsisoft), Win32.Runouce.B@mm (AdAware), Virus.Win32.Sality.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR, VirusVirut.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d1a9eb22ca68f5fdb8e4321176bfc55b
SHA1: 358ba3fa89e2158a7d3f3c28e89f1f7622dec259
SHA256: f6a9828a2c33a460564296690e14c058c4ff904064095d7d037cd37ed1a8a595
SSDeep: 6144:eBODRHr8GayPVxR3SMoKSRbBigwmL5GWJdV6bg:eBUHQS7R3loztBrG47
Size: 318460 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-02-09 16:07:45
Analyzed on: Windows7 SP1 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):No processes have been created.The Worm injects its code into the following process(es):
%original file name%.exe:1780
%original file name%.exe:1908
taskhost.exe:1940
Dwm.exe:2008
Explorer.EXE:2024
conhost.exe:2520
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1780 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\system.ini (70 bytes)
C:\chkc.exe (130 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (1312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winfmngob.exe (741 bytes)
C:\autorun.inf (279 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (784 bytes)
The Worm deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winfmngob.exe (0 bytes)
The process %original file name%.exe:1908 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\runouce.exe (1504988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (3288 bytes)
Registry activity
The process %original file name%.exe:1780 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a2_59" = "422984450"
"a2_58" = "415802968"
"a2_53" = "379972038"
"a2_52" = "372799793"
"a2_51" = "365619674"
"a2_50" = "358449583"
"a2_57" = "408634468"
"a2_56" = "401466235"
"a2_55" = "394299729"
"a2_54" = "387136433"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"
[HKCU\Software\Aas\695404737]
"50183847" = "26CEFB056C4C612B18DF8A4E39AD3E086BC14A679A0C16609597EAFA4EF436B86480FE516A315D6A51F28DA8CC0B11C7B9B304C866869787A103BDFE12342ED26176866CF93A99E8E0CDB62E08DCA2F8E5A923A228BAEAE68DD518B021F8E826E6A8FDBA0704B9328FCAEA4242FC6AF4104D60B896922EC0CEDBAF6F67E08E9F"
[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_98" = "685967115"
"a3_99" = "726580138"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a2_99" = "709742340"
"a2_98" = "702576277"
"a2_97" = "695413740"
"a2_96" = "688241421"
"a2_95" = "681058818"
"a2_94" = "673891358"
"a2_93" = "666726084"
"a2_92" = "659556418"
"a2_91" = "652381760"
"a2_90" = "645224189"
"a1_58" = "3665371554"
"a1_59" = "3383193877"
"a1_56" = "776211010"
"a1_57" = "3096474560"
"a1_54" = "622265903"
"a1_55" = "2017316994"
"a1_52" = "638804490"
"a1_53" = "1560123974"
"a1_50" = "4267342224"
"a1_51" = "2008350609"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_70" = "485103791"
[HKCU\Software\Aas\695404737]
"35845605" = "383"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_89" = "1586180983"
"a1_88" = "803751692"
"a1_85" = "3909588577"
"a1_84" = "1311025949"
"a1_87" = "1816827822"
"a1_86" = "1403657822"
"a1_81" = "1387330828"
"a1_80" = "3564317705"
"a1_83" = "1132120614"
"a1_82" = "1931154089"
"a1_67" = "3223544122"
"a1_66" = "3611810380"
"a1_65" = "2815399669"
"a1_64" = "3666968892"
"a1_63" = "2098580106"
"a1_62" = "3507496498"
"a1_61" = "332242240"
"a1_60" = "3182891493"
"a1_69" = "283849579"
"a1_68" = "1609745042"
"a1_12" = "1174665665"
"a1_13" = "4076776892"
"a1_10" = "1071546649"
"a1_11" = "2318739959"
"a1_16" = "1472144990"
"a1_17" = "3772702960"
"a1_14" = "4170948361"
"a1_15" = "247433699"
"a1_18" = "1449162629"
"a1_19" = "3052690794"
"a2_48" = "344126011"
"a2_49" = "351278618"
"a2_40" = "286766458"
"a2_41" = "293932015"
"a2_42" = "301100597"
"a2_43" = "308266908"
"a2_44" = "315449677"
"a2_45" = "322613994"
"a2_46" = "329785115"
"a2_47" = "336951251"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a1_101" = "2819443449"
"a2_88" = "630888401"
"a2_89" = "638057599"
"a2_84" = "602206565"
"a2_85" = "609372177"
"a2_86" = "616539373"
"a2_87" = "623721910"
"a2_80" = "573523851"
"a2_81" = "580705329"
"a2_82" = "587874101"
"a2_83" = "595039398"
"a1_29" = "2974281407"
"a1_28" = "3228685785"
"a1_23" = "1393522403"
"a1_22" = "767601794"
"a1_21" = "3088289700"
"a1_20" = "1050578346"
"a1_27" = "889908127"
"a1_26" = "675954575"
"a1_25" = "2922091070"
"a1_24" = "2020335726"
"a3_50" = "341766363"
"a3_51" = "348755322"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a2_31" = "222234361"
"a2_30" = "215079550"
"a2_33" = "236579903"
"a2_32" = "229414781"
"a2_35" = "250911624"
"a2_34" = "243747348"
"a2_37" = "265263361"
"a2_36" = "258081705"
"a2_39" = "279598592"
"a2_38" = "272431981"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716903321"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "152"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas]
"a1_98" = "2645168756"
"a1_99" = "317835327"
"a1_92" = "479923809"
"a1_93" = "2617805663"
"a1_90" = "91595604"
"a1_91" = "2057942215"
"a1_96" = "2898512924"
"a1_97" = "2728917768"
"a1_94" = "4239588295"
"a1_95" = "1819763499"
"a2_75" = "537689948"
"a2_74" = "530522317"
"a2_77" = "552013931"
"a2_76" = "544854311"
"a2_71" = "509015248"
"a2_70" = "501835868"
"a2_73" = "523339378"
"a2_72" = "516171623"
"a1_100" = "1709071803"
"a2_79" = "566353306"
"a2_78" = "559186802"
"a1_74" = "826027859"
"a1_75" = "1345752357"
"a1_76" = "672156095"
"a1_77" = "4190342251"
"a1_70" = "3035074501"
"a1_71" = "528275036"
"a1_72" = "3427455530"
"a1_73" = "2262222866"
"a1_78" = "3120882369"
"a1_79" = "1365400886"
"a1_0" = "3299283285"
"a1_1" = "3386940473"
"a1_2" = "3712339979"
"a1_3" = "2620474486"
"a1_4" = "83174613"
"a1_5" = "616562248"
"a1_6" = "454656014"
"a1_7" = "2401786110"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_9" = "2948510009"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_101" = "724077854"
"a1_38" = "213872447"
"a1_39" = "3964775043"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_30" = "2646907918"
"a1_31" = "3886322426"
"a1_32" = "1167938370"
"a1_33" = "2462240188"
"a1_34" = "2225036716"
"a1_35" = "370808629"
"a1_36" = "2012235382"
"a1_37" = "3198637671"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a2_28" = "200730413"
"a2_29" = "207899426"
"a2_26" = "186388573"
"a2_27" = "193573873"
"a2_24" = "172061634"
"a2_25" = "179228956"
"a2_22" = "157728729"
"a2_23" = "164896728"
"a2_20" = "143379083"
"a2_21" = "150544185"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176954"
"a2_6" = "43009444"
"a2_5" = "35841042"
"a2_4" = "28673537"
"a2_3" = "21498089"
"a2_2" = "14346572"
"a2_1" = "7173091"
"a2_0" = "9832"
"a2_9" = "64528830"
"a2_8" = "57360172"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a3_52" = "389745053"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a3_89" = "654610320"
"a3_88" = "614067057"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a1_8" = "310532945"
"a2_62" = "444493003"
"a2_63" = "451653186"
"a2_60" = "430153701"
"a2_61" = "437320717"
"a2_66" = "473168804"
"a2_67" = "480337451"
"a2_64" = "458821396"
"a2_65" = "465987022"
"a2_68" = "487503795"
"a2_69" = "494671922"
"a1_41" = "1175678420"
"a1_40" = "3112489572"
"a1_43" = "812055938"
"a1_42" = "608335292"
"a1_45" = "2664743508"
"a1_44" = "806423141"
"a1_47" = "3114940119"
"a1_46" = "382469827"
"a1_49" = "1624578760"
"a1_48" = "262978150"
[HKCU\Software\Aas\695404737]
"43014726" = "0A00687474703A2F2F6163656D6F676C75737563756B6C6172692E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F612D6272696E672E636F6D2F73616E79626F6F6B2F6C6F676F2E67696600687474703A2F2F746E36396162692E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F67696D382E706C2F6C6F676F2E67696600687474703A2F2F61636C617373616C657274732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E3370696E6469612E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F6163692E6772617469782E636F6D2E62722F6C6F676F2E67696600687474703A2F2F3173327176683931782E736974652E61706C75732E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F6162622E696E642E696E2F6C6F676F2E67696600687474703A2F2F7777772E616B70617274697361726976656C696C65722E636F6D2F696D616765732F696D672E676966"
[HKCU\Software\Aas]
"a3_36" = "241268621"
"a3_37" = "248309804"
"a3_34" = "260325067"
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a2_17" = "121878036"
"a2_16" = "114708582"
"a2_15" = "107543232"
"a2_14" = "100362012"
"a2_13" = "93206883"
"a2_12" = "86027549"
"a2_11" = "78860252"
"a2_10" = "71693673"
"a2_19" = "136209430"
"a2_18" = "129046589"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The process %original file name%.exe:1908 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce" = "C:\Windows\system32\runouce.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 516a83a3c69a76442df26b1bb7f71a4b | c:\chkc.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Windows\system.ini (70 bytes)
C:\chkc.exe (130 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (1312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winfmngob.exe (741 bytes)
C:\autorun.inf (279 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (784 bytes)
C:\Windows\System32\runouce.exe (1504988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (3288 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce" = "C:\Windows\system32\runouce.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: OLEViewer
Product Version: 2.1
Legal Copyright: Copyright (c) 1993-96 Microsoft Corporation. All Rights Reserved.
Legal Trademarks: By Charlie Kindel, Michael Nelson, and Michael Antonio
Original Filename: oleview.EXE
Internal Name: OLEViewer
File Version: 2.10.050
File Description: OLEViewer Version 2.1
Comments: OLE/COM Object Viewer 2.1
Language: Language Neutral
Company Name: Microsoft CorporationProduct Name: OLEViewerProduct Version: 2.1Legal Copyright: Copyright (c) 1993-96 Microsoft Corporation. All Rights Reserved.Legal Trademarks: By Charlie Kindel, Michael Nelson, and Michael AntonioOriginal Filename: oleview.EXEInternal Name: OLEViewerFile Version: 2.10.050File Description: OLEViewer Version 2.1Comments: OLE/COM Object Viewer 2.1Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 110592 | 110592 | 4.19064 | 8c726ddd40d62c42b05a31986c2fdc4f |
| .data | 114688 | 2424 | 2048 | 2.90468 | 2590b7d371c8e57df2df83a3770a3762 |
| .rsrc | 118784 | 45428 | 45568 | 2.90377 | 1cc2f56f86438219852cdf89a0340dc3 |
| .reloc | 167936 | 155652 | 156156 | 5.439 | 4e20c20e4f900778903b10cb7e5aac26 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| meggay.com | 31.192.108.36 |
| regexy.com | 88.99.25.106 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1908:
.text
.text
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
iviewers.dll
IVIEWERS.DLL
IVIEWERS.DLL
Component Categories\%s
Component Categories\%s
comcat.dll
comcat.dll
Comcat.DLL
Comcat.DLL
CLSID\%s
CLSID\%s
%s - %s. By Charlie Kindel,
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'
CoCreateInstance failed using the CLSID for '%s'
All HKEY_CLASSES_ROOT\Component Categories Entries
All HKEY_CLASSES_ROOT\Component Categories Entries
All HKEY_CLASSES_ROOT\APPID Entries
All HKEY_CLASSES_ROOT\APPID Entries
OLE32.DLL
OLE32.DLL
msjava.dll
msjava.dll
Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|
Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
REGEDIT.EXE
REGEDIT.EXE
LoadTypeLib( %s ) failed.
LoadTypeLib( %s ) failed.
*.tlb
*.tlb
The %s interface viewer failed to load.
The %s interface viewer failed to load.
Could not convert the CLSID of the %s interface viewer.
Could not convert the CLSID of the %s interface viewer.
Interface\%S\OLEViewerIViewerCLSID
Interface\%S\OLEViewerIViewerCLSID
Interface\%S
Interface\%S
The file droped (%s) is not a valid persistent OLE object or Type Library file.
The file droped (%s) is not a valid persistent OLE object or Type Library file.
%s\Insertable
%s\Insertable
%s\NotInsertable
%s\NotInsertable
2disp.dll
2disp.dll
2.dll
2.dll
2prox.dll
2prox.dll
aut32.dll
aut32.dll
cnv32.dll
cnv32.dll
2pr32.dll
2pr32.dll
prx32.dll
prx32.dll
32.dll
32.dll
%s
%s
%s\Implemented Categories\%s
%s\Implemented Categories\%s
%S
%S
[AppID: %s]
[AppID: %s]
AppID\%s
AppID\%s
%s (Ver %s)
%s (Ver %s)
QueryInterface for %s returned a failure code other than E_NOINTERFACE.
QueryInterface for %s returned a failure code other than E_NOINTERFACE.
IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
_%S
_%S
LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.
LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.
Warning: MkParseDisplayName only ate up to "%s".
Warning: MkParseDisplayName only ate up to "%s".
MkParseDisplayName(... "%s" ...) failed.
MkParseDisplayName(... "%s" ...) failed.
%s (%s)
%s (%s)
LoadRegTypeLib(%u, %u, %lu, &u ...) failed.
LoadRegTypeLib(%u, %u, %lu, &u ...) failed.
classid="clsid:%S"
classid="clsid:%S"
FileType\%s
FileType\%s
Interface\%s
Interface\%s
TypeLib\%s
TypeLib\%s
%s = %s
%s = %s
%s [%s] = %s
%s [%s] = %s
%s [] = %s
%s [] = %s
%#04XX (%lu)
%#04XX (%lu)
%s\%s
%s\%s
Couldn't get address of SedDiscrectionaryAclEditor() in ACLEDIT.DLL!
Couldn't get address of SedDiscrectionaryAclEditor() in ACLEDIT.DLL!
Couldn't load ACLEDIT.DLL!
Couldn't load ACLEDIT.DLL!
ACLEDIT.DLL
ACLEDIT.DLL
APPID\%s
APPID\%s
CLSID\%s\%s
CLSID\%s\%s
CLSID\%s\LocalServer32
CLSID\%s\LocalServer32
FACILITY_WINDOWS
FACILITY_WINDOWS
VIEW_S_FIRST...VIEW_S_LAST
VIEW_S_FIRST...VIEW_S_LAST
VIEW_E_FIRST...VIEW_E_LAST
VIEW_E_FIRST...VIEW_E_LAST
REGDB_S_FIRST...REGDB_S_LAST
REGDB_S_FIRST...REGDB_S_LAST
REGDB_E_FIRST...REGDB_E_LAST
REGDB_E_FIRST...REGDB_E_LAST
OLE_S_FIRST...OLE_S_LAST
OLE_S_FIRST...OLE_S_LAST
OLE_E_FIRST...OLE_E_LAST
OLE_E_FIRST...OLE_E_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
MK_S_FIRST...MK_S_LAST
MK_S_FIRST...MK_S_LAST
MK_E_FIRST...MK_E_LAST
MK_E_FIRST...MK_E_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
ENUM_S_FIRST...ENUM_S_LAST
ENUM_S_FIRST...ENUM_S_LAST
ENUM_E_FIRST...ENUM_E_LAST
ENUM_E_FIRST...ENUM_E_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DATA_S_FIRST...DATA_S_LAST
DATA_S_FIRST...DATA_S_LAST
DATA_E_FIRST...DATA_E_LAST
DATA_E_FIRST...DATA_E_LAST
CO_S_FIRST...CO_S_LAST
CO_S_FIRST...CO_S_LAST
CO_E_FIRST...CO_E_LAST
CO_E_FIRST...CO_E_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CACHE_S_FIRST...CACHE_S_LAST
CACHE_S_FIRST...CACHE_S_LAST
CACHE_E_FIRST...CACHE_E_LAST
CACHE_E_FIRST...CACHE_E_LAST
REGDB_E_KEYMISSING
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
OLE_E_ADVISENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
CO_E_SERVER_EXEC_FAILURE
CACHE_S_FORMATETC_NOTSUPPORTED
CACHE_S_FORMATETC_NOTSUPPORTED
severity: %s, facility: %s ($lX)
severity: %s, facility: %s ($lX)
range: %s ($lX)
range: %s ($lX)
%s ($lX)
%s ($lX)
%s
%s
%s %s
%s %s
~$SSh
~$SSh
PQSSh
PQSSh
MFC42.DLL
MFC42.DLL
__p__acmdln
__p__acmdln
MSVCRT.dll
MSVCRT.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
VERSION.dll
VERSION.dll
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|
.?AVCCmdTarget@@
.?AVCCmdTarget@@
TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
.PAVCException@@
.PAVCException@@
AllFiles(*.*)|*.*|
AllFiles(*.*)|*.*|
.PAVCOleException@@
.PAVCOleException@@
7 7$7(7,7074787
7 7$7(7,7074787
9 9$9(9,9
9 9$9(9,9
;!
;!
5o6Z6
5o6Z6
6 737_7}7
6 737_7}7
t`{R %D
t`{R %D
k%D">
k%D">
-sv.DYr6
-sv.DYr6
$=%c(
$=%c(
aUM.Yul
aUM.Yul
#.tY]@
#.tY]@
7=e6%d
7=e6%d
r.rW-
r.rW-
%f!",
%f!",
USER32.DLL
USER32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
MPR.DLL
MPR.DLL
WSOCK32.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
\runouce.exe
\runouce.exe
=.wabt!=.adct$=r.dbt
=.wabt!=.adct$=r.dbt
=.doct
=.doct
=.xlst
=.xlst
=.exetS=.scrtL=.htmt
=.exetS=.scrtL=.htmt
readme.eml
readme.eml
btamail.net.cn
btamail.net.cn
HELO btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
RCPT TO: %s
FROM: %s@yahoo.com
FROM: %s@yahoo.com
TO: %s
TO: %s
SUBJECT: %s is comming!
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
Content-Type: audio/x-wav; name="pp.exe"
.idata
.idata
.reloc
.reloc
JOIN #.%d
JOIN #.%d
DSTAMP %ddd
DSTAMP %ddd
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
fbibiz.com
fbibiz.com
olmbra.com
olmbra.com
meggay.com
meggay.com
regexy.com
regexy.com
inreos.com
inreos.com
NICK yhzlxkjy
NICK yhzlxkjy
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x *%s
%.6x . . :%c%.8x%x *%s
KERNEL32.DLL
KERNEL32.DLL
windowsupdate
windowsupdate
drweb
drweb
.Access
.Access
oleview.hlp
oleview.hlp
2.10.050
2.10.050
oleview.EXE
oleview.EXE
To select a class: Double click the name or highlight the name with the cursor keys and press return.
To select a class: Double click the name or highlight the name with the cursor keys and press return.
OLEViewer Files (*.ore)
OLEViewer Files (*.ore)
oleview.Document
oleview.Document
Replace%Select the entire document
Replace%Select the entire document
.Bind to a file via a File Moniker
.Bind to a file via a File Moniker
Show OLE 1.0 Objects@Show objects that have the NotInsertable key.
Show OLE 1.0 Objects@Show objects that have the NotInsertable key.
Show ContainersGShow Objects that have the Control key (OLE Controls)
Show ContainersGShow Objects that have the Control key (OLE Controls)
Delete from RegistryAShow Objects that have the Insertable Key
Delete from RegistryAShow Objects that have the Insertable Key
Run the Windows Registry Editor
Run the Windows Registry Editor
Microsoft^Could not find IVIEWERS.DLL to auto-register the ITypeLib and IDataObject interface viewers.
Microsoft^Could not find IVIEWERS.DLL to auto-register the ITypeLib and IDataObject interface viewers.
mOLEViewer will operate correctly without this DLL, however you will not be able to use the interface viewers.
mOLEViewer will operate correctly without this DLL, however you will not be able to use the interface viewers.
B Do you want to try to find IVIEWERS.DLL in a different location? DllRegisterServer in IVIEWERS.DLL failed.
B Do you want to try to find IVIEWERS.DLL in a different location? DllRegisterServer in IVIEWERS.DLL failed.
;Could not find COMCAT.DLL (Component Categories Manager).
;Could not find COMCAT.DLL (Component Categories Manager).
rOLEViewer will operate correctly without this DLL, however you will not be able to fully use component categories.:Could not find DllRegisterServer function in COMCAT.DLL.
rOLEViewer will operate correctly without this DLL, however you will not be able to fully use component categories.:Could not find DllRegisterServer function in COMCAT.DLL.
@ Do you want to try to find COMCAT.DLL in a different location?
@ Do you want to try to find COMCAT.DLL in a different location?
.Display the viewer for the selected item.
.Display the viewer for the selected item.
View0Show or do not show hidden component categories.LToggle the display of component categories that are not meant to be visible.[Create an instance of the selected object on a specific machine.
View0Show or do not show hidden component categories.LToggle the display of component categories that are not meant to be visible.[Create an instance of the selected object on a specific machine.
Create Instance On MachineBEnables or disables "ActivateAtStorage" activation for this class.5View and set the Network OLE options for this object.0Configure class activation and security options.-Change machine wide Distributed COM settings.KUse CLSCTX_REMOTE_SERVER when calling CoGetClassObject
Create Instance On MachineBEnables or disables "ActivateAtStorage" activation for this class.5View and set the Network OLE options for this object.0Configure class activation and security options.-Change machine wide Distributed COM settings.KUse CLSCTX_REMOTE_SERVER when calling CoGetClassObject
CLSCTX_REMOTE_SERVER>Copy the GUID of the currently selected item to the clipboard..Toggle between expert and novice display mode.9Copy an HTML tag for this item to the clipboard.
CLSCTX_REMOTE_SERVER>Copy the GUID of the currently selected item to the clipboard..Toggle between expert and novice display mode.9Copy an HTML tag for this item to the clipboard.
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
%original file name%.exe_1908_rwx_00200000_00008000:
ADVAPI32.DLL
ADVAPI32.DLL
JOIN #.%d
JOIN #.%d
DSTAMP %ddd
DSTAMP %ddd
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
fbibiz.com
fbibiz.com
olmbra.com
olmbra.com
meggay.com
meggay.com
regexy.com
regexy.com
inreos.com
inreos.com
NICK xaxclarv
NICK xaxclarv
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x *%s
%.6x . . :%c%.8x%x *%s
KERNEL32.DLL
KERNEL32.DLL
windowsupdate
windowsupdate
drweb
drweb
C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1
C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1
UNC\192.168.50.163\SANDBOXOUTPUT\2017-02-07\D1A9EB22CA68F5FDB8E4321176BFC55B\DUMPS\D1A9EB22CA68F5FDB8E4321176BFC55B.EXE_1908.DMP
UNC\192.168.50.163\SANDBOXOUTPUT\2017-02-07\D1A9EB22CA68F5FDB8E4321176BFC55B\DUMPS\D1A9EB22CA68F5FDB8E4321176BFC55B.EXE_1908.DMP
%WinDir%\SYSTEM32\MAGNIFY.EXE
%WinDir%\SYSTEM32\MAGNIFY.EXE
\WMPLAYER.EXE
\WMPLAYER.EXE
cfpgya.com
cfpgya.com
ejylfj.com
ejylfj.com
qieehu.com
qieehu.com
hnvexz.com
hnvexz.com
uludor.com
uludor.com
gebcni.com
gebcni.com
hhgjyy.com
hhgjyy.com
diirju.com
diirju.com
ieshlm.com
ieshlm.com
vqbpsk.com
vqbpsk.com
hcodyf.com
hcodyf.com
agdgez.com
agdgez.com
eetuyq.com
eetuyq.com
gidsod.com
gidsod.com
eueguu.com
eueguu.com
noodwq.com
noodwq.com
ekvvza.com
ekvvza.com
nytuli.com
nytuli.com
zyrxex.com
zyrxex.com
uadaxq.com
uadaxq.com
jylylf.com
jylylf.com
xkdufo.com
xkdufo.com
ovdabc.com
ovdabc.com
wynlif.com
wynlif.com
cyatgj.com
cyatgj.com
kehvgg.com
kehvgg.com
ohjsqr.com
ohjsqr.com
mlokdp.com
mlokdp.com
rrucez.com
rrucez.com
diizld.com
diizld.com
ajtgle.com
ajtgle.com
kkixxi.com
kkixxi.com
cviiod.com
cviiod.com
esyayz.com
esyayz.com
ycaymz.com
ycaymz.com
auheyr.com
auheyr.com
iwapuz.com
iwapuz.com
aotoaj.com
aotoaj.com
hbjpnf.com
hbjpnf.com
aoxaid.com
aoxaid.com
orpgsr.com
orpgsr.com
zyciin.com
zyciin.com
ocyuli.com
ocyuli.com
yyewqz.com
yyewqz.com
grsemy.com
grsemy.com
gxxkpm.com
gxxkpm.com
ylmzcy.com
ylmzcy.com
vxypfp.com
vxypfp.com
pghgbu.com
pghgbu.com
ckdqid.com
ckdqid.com
rlaxnq.com
rlaxnq.com
faeqfs.com
faeqfs.com
oodpfj.com
oodpfj.com
eeilha.com
eeilha.com
hokmku.com
hokmku.com
obteba.com
obteba.com
asrioy.com
asrioy.com
uoetae.com
uoetae.com
kfzoxs.com
kfzoxs.com
nfujxn.com
nfujxn.com
lcrdra.com
lcrdra.com
kcyscc.com
kcyscc.com
muywrv.com
muywrv.com
zpxjxo.com
zpxjxo.com
uovvfp.com
uovvfp.com
iqlmoa.com
iqlmoa.com
iepiyj.com
iepiyj.com
aozbcg.com
aozbcg.com
pjhoar.com
pjhoar.com
gngyaw.com
gngyaw.com
bywnji.com
bywnji.com
kkenkt.com
kkenkt.com
yyduaq.com
yyduaq.com
ugiiip.com
ugiiip.com
eaueea.com
eaueea.com
yjeapy.com
yjeapy.com
vhedkw.com
vhedkw.com
kfoakj.com
kfoakj.com
fvkskk.com
fvkskk.com
biudfz.com
biudfz.com
cetiiq.com
cetiiq.com
emyoxs.com
emyoxs.com
yirdap.com
yirdap.com
wpywnc.com
wpywnc.com
uhhaoo.com
uhhaoo.com
zeassp.com
zeassp.com
zdakxj.com
zdakxj.com
bbhpao.com
bbhpao.com
ngfpvb.com
ngfpvb.com
winios.com
winios.com
bczybs.com
bczybs.com
docarc.com
docarc.com
wurlvy.com
wurlvy.com
aiabpf.com
aiabpf.com
nureak.com
nureak.com
yefify.com
yefify.com
oacaky.com
oacaky.com
xhirla.com
xhirla.com
afrofp.com
afrofp.com
smtnia.com
smtnia.com
%original file name%.exe_1908_rwx_00210000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.reloc
.reloc
%original file name%.exe_1780:
.text
.text
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
iviewers.dll
IVIEWERS.DLL
IVIEWERS.DLL
Component Categories\%s
Component Categories\%s
comcat.dll
comcat.dll
Comcat.DLL
Comcat.DLL
CLSID\%s
CLSID\%s
%s - %s. By Charlie Kindel,
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'
CoCreateInstance failed using the CLSID for '%s'
All HKEY_CLASSES_ROOT\Component Categories Entries
All HKEY_CLASSES_ROOT\Component Categories Entries
All HKEY_CLASSES_ROOT\APPID Entries
All HKEY_CLASSES_ROOT\APPID Entries
OLE32.DLL
OLE32.DLL
msjava.dll
msjava.dll
Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|
Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
REGEDIT.EXE
REGEDIT.EXE
LoadTypeLib( %s ) failed.
LoadTypeLib( %s ) failed.
*.tlb
*.tlb
The %s interface viewer failed to load.
The %s interface viewer failed to load.
Could not convert the CLSID of the %s interface viewer.
Could not convert the CLSID of the %s interface viewer.
Interface\%S\OLEViewerIViewerCLSID
Interface\%S\OLEViewerIViewerCLSID
Interface\%S
Interface\%S
The file droped (%s) is not a valid persistent OLE object or Type Library file.
The file droped (%s) is not a valid persistent OLE object or Type Library file.
%s\Insertable
%s\Insertable
%s\NotInsertable
%s\NotInsertable
2disp.dll
2disp.dll
2.dll
2.dll
2prox.dll
2prox.dll
aut32.dll
aut32.dll
cnv32.dll
cnv32.dll
2pr32.dll
2pr32.dll
prx32.dll
prx32.dll
32.dll
32.dll
%s
%s
%s\Implemented Categories\%s
%s\Implemented Categories\%s
%S
%S
[AppID: %s]
[AppID: %s]
AppID\%s
AppID\%s
%s (Ver %s)
%s (Ver %s)
QueryInterface for %s returned a failure code other than E_NOINTERFACE.
QueryInterface for %s returned a failure code other than E_NOINTERFACE.
IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
_%S
_%S
LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.
LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.
Warning: MkParseDisplayName only ate up to "%s".
Warning: MkParseDisplayName only ate up to "%s".
MkParseDisplayName(... "%s" ...) failed.
MkParseDisplayName(... "%s" ...) failed.
%s (%s)
%s (%s)
LoadRegTypeLib(%u, %u, %lu, &u ...) failed.
LoadRegTypeLib(%u, %u, %lu, &u ...) failed.
classid="clsid:%S"
classid="clsid:%S"
FileType\%s
FileType\%s
Interface\%s
Interface\%s
TypeLib\%s
TypeLib\%s
%s = %s
%s = %s
%s [%s] = %s
%s [%s] = %s
%s [] = %s
%s [] = %s
%#04XX (%lu)
%#04XX (%lu)
%s\%s
%s\%s
Couldn't get address of SedDiscrectionaryAclEditor() in ACLEDIT.DLL!
Couldn't get address of SedDiscrectionaryAclEditor() in ACLEDIT.DLL!
Couldn't load ACLEDIT.DLL!
Couldn't load ACLEDIT.DLL!
ACLEDIT.DLL
ACLEDIT.DLL
APPID\%s
APPID\%s
CLSID\%s\%s
CLSID\%s\%s
CLSID\%s\LocalServer32
CLSID\%s\LocalServer32
FACILITY_WINDOWS
FACILITY_WINDOWS
VIEW_S_FIRST...VIEW_S_LAST
VIEW_S_FIRST...VIEW_S_LAST
VIEW_E_FIRST...VIEW_E_LAST
VIEW_E_FIRST...VIEW_E_LAST
REGDB_S_FIRST...REGDB_S_LAST
REGDB_S_FIRST...REGDB_S_LAST
REGDB_E_FIRST...REGDB_E_LAST
REGDB_E_FIRST...REGDB_E_LAST
OLE_S_FIRST...OLE_S_LAST
OLE_S_FIRST...OLE_S_LAST
OLE_E_FIRST...OLE_E_LAST
OLE_E_FIRST...OLE_E_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
MK_S_FIRST...MK_S_LAST
MK_S_FIRST...MK_S_LAST
MK_E_FIRST...MK_E_LAST
MK_E_FIRST...MK_E_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
ENUM_S_FIRST...ENUM_S_LAST
ENUM_S_FIRST...ENUM_S_LAST
ENUM_E_FIRST...ENUM_E_LAST
ENUM_E_FIRST...ENUM_E_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DATA_S_FIRST...DATA_S_LAST
DATA_S_FIRST...DATA_S_LAST
DATA_E_FIRST...DATA_E_LAST
DATA_E_FIRST...DATA_E_LAST
CO_S_FIRST...CO_S_LAST
CO_S_FIRST...CO_S_LAST
CO_E_FIRST...CO_E_LAST
CO_E_FIRST...CO_E_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CACHE_S_FIRST...CACHE_S_LAST
CACHE_S_FIRST...CACHE_S_LAST
CACHE_E_FIRST...CACHE_E_LAST
CACHE_E_FIRST...CACHE_E_LAST
REGDB_E_KEYMISSING
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
OLE_E_ADVISENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
CO_E_SERVER_EXEC_FAILURE
CACHE_S_FORMATETC_NOTSUPPORTED
CACHE_S_FORMATETC_NOTSUPPORTED
severity: %s, facility: %s ($lX)
severity: %s, facility: %s ($lX)
range: %s ($lX)
range: %s ($lX)
%s ($lX)
%s ($lX)
%s
%s
%s %s
%s %s
~$SSh
~$SSh
PQSSh
PQSSh
MFC42.DLL
MFC42.DLL
__p__acmdln
__p__acmdln
MSVCRT.dll
MSVCRT.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
VERSION.dll
VERSION.dll
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|
.?AVCCmdTarget@@
.?AVCCmdTarget@@
TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
.PAVCException@@
.PAVCException@@
AllFiles(*.*)|*.*|
AllFiles(*.*)|*.*|
.PAVCOleException@@
.PAVCOleException@@
7 7$7(7,7074787
7 7$7(7,7074787
9 9$9(9,9
9 9$9(9,9
;!
;!
5o6Z6
5o6Z6
6 737_7}7
6 737_7}7
(pL%C#
(pL%C#
$.RB(t
$.RB(t
p.FdZ
p.FdZ
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
%original file name%.exe
%original file name%.exe
.reloc
.reloc
c:\%original file name%.exe
c:\%original file name%.exe
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
4j14/logo.gif
4j14/logo.gif
.info/J
.info/J
home.gifI888
home.gifI888
h.rata
h.rata
Bkrnl.exe?
Bkrnl.exe?
= =$=(=,=
= =$=(=,=
322%2`.50728)
322%2`.50728)
.klkjw:9fqwi
.klkjw:9fqwi
FamXf39.sys
FamXf39.sys
.pBTa8
.pBTa8
%s:*:
%s:*:
Bg.laXV
Bg.laXV
&?%x=
&?%x=
GUrlA'
GUrlA'
Web%w|nc
Web%w|nc
HTTP)
HTTP)
2GUARDCMD.
2GUARDCMD.
.ENHCDM
.ENHCDM
PL/KPCKwWEB
PL/KPCKwWEB
MM.PFW.
MM.PFW.
.bssf
.bssf
J:CRT
J:CRT
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
USER32.DLL
USER32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
MPR.DLL
MPR.DLL
WSOCK32.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
\runouce.exe
\runouce.exe
=.wabt!=.adct$=r.dbt
=.wabt!=.adct$=r.dbt
=.doct
=.doct
=.xlst
=.xlst
=.exetS=.scrtL=.htmt
=.exetS=.scrtL=.htmt
readme.eml
readme.eml
btamail.net.cn
btamail.net.cn
HELO btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
RCPT TO: %s
FROM: %s@yahoo.com
FROM: %s@yahoo.com
TO: %s
TO: %s
SUBJECT: %s is comming!
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
Content-Type: audio/x-wav; name="pp.exe"
.idata
.idata
g.ogP
g.ogP
%DgO$w
%DgO$w
.Access
.Access
oleview.hlp
oleview.hlp
2.10.050
2.10.050
oleview.EXE
oleview.EXE
To select a class: Double click the name or highlight the name with the cursor keys and press return.
To select a class: Double click the name or highlight the name with the cursor keys and press return.
OLEViewer Files (*.ore)
OLEViewer Files (*.ore)
oleview.Document
oleview.Document
Replace%Select the entire document
Replace%Select the entire document
.Bind to a file via a File Moniker
.Bind to a file via a File Moniker
Show OLE 1.0 Objects@Show objects that have the NotInsertable key.
Show OLE 1.0 Objects@Show objects that have the NotInsertable key.
Show ContainersGShow Objects that have the Control key (OLE Controls)
Show ContainersGShow Objects that have the Control key (OLE Controls)
Delete from RegistryAShow Objects that have the Insertable Key
Delete from RegistryAShow Objects that have the Insertable Key
Run the Windows Registry Editor
Run the Windows Registry Editor
Microsoft^Could not find IVIEWERS.DLL to auto-register the ITypeLib and IDataObject interface viewers.
Microsoft^Could not find IVIEWERS.DLL to auto-register the ITypeLib and IDataObject interface viewers.
mOLEViewer will operate correctly without this DLL, however you will not be able to use the interface viewers.
mOLEViewer will operate correctly without this DLL, however you will not be able to use the interface viewers.
B Do you want to try to find IVIEWERS.DLL in a different location? DllRegisterServer in IVIEWERS.DLL failed.
B Do you want to try to find IVIEWERS.DLL in a different location? DllRegisterServer in IVIEWERS.DLL failed.
;Could not find COMCAT.DLL (Component Categories Manager).
;Could not find COMCAT.DLL (Component Categories Manager).
rOLEViewer will operate correctly without this DLL, however you will not be able to fully use component categories.:Could not find DllRegisterServer function in COMCAT.DLL.
rOLEViewer will operate correctly without this DLL, however you will not be able to fully use component categories.:Could not find DllRegisterServer function in COMCAT.DLL.
@ Do you want to try to find COMCAT.DLL in a different location?
@ Do you want to try to find COMCAT.DLL in a different location?
.Display the viewer for the selected item.
.Display the viewer for the selected item.
View0Show or do not show hidden component categories.LToggle the display of component categories that are not meant to be visible.[Create an instance of the selected object on a specific machine.
View0Show or do not show hidden component categories.LToggle the display of component categories that are not meant to be visible.[Create an instance of the selected object on a specific machine.
Create Instance On MachineBEnables or disables "ActivateAtStorage" activation for this class.5View and set the Network OLE options for this object.0Configure class activation and security options.-Change machine wide Distributed COM settings.KUse CLSCTX_REMOTE_SERVER when calling CoGetClassObject
Create Instance On MachineBEnables or disables "ActivateAtStorage" activation for this class.5View and set the Network OLE options for this object.0Configure class activation and security options.-Change machine wide Distributed COM settings.KUse CLSCTX_REMOTE_SERVER when calling CoGetClassObject
CLSCTX_REMOTE_SERVER>Copy the GUID of the currently selected item to the clipboard..Toggle between expert and novice display mode.9Copy an HTML tag for this item to the clipboard.
CLSCTX_REMOTE_SERVER>Copy the GUID of the currently selected item to the clipboard..Toggle between expert and novice display mode.9Copy an HTML tag for this item to the clipboard.
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
%original file name%.exe_1908_rwx_00220000_00001000:
Bv%original file name%.exeM_1908_
Bv%original file name%.exeM_1908_
%original file name%.exe_1908_rwx_01001000_00001000:
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
iviewers.dll
IVIEWERS.DLL
IVIEWERS.DLL
Component Categories\%s
Component Categories\%s
comcat.dll
comcat.dll
Comcat.DLL
Comcat.DLL
CLSID\%s
CLSID\%s
%s - %s. By Charlie Kindel,
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'
CoCreateInstance failed using the CLSID for '%s'
%original file name%.exe_1908_rwx_01046000_0000A000:
USER32.DLL
USER32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
MPR.DLL
MPR.DLL
WSOCK32.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
WinExec
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyA
\runouce.exe
\runouce.exe
=.wabt!=.adct$=r.dbt
=.wabt!=.adct$=r.dbt
=.doct
=.doct
=.xlst
=.xlst
=.exetS=.scrtL=.htmt
=.exetS=.scrtL=.htmt
readme.eml
readme.eml
btamail.net.cn
btamail.net.cn
HELO btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
RCPT TO: %s
FROM: %s@yahoo.com
FROM: %s@yahoo.com
TO: %s
TO: %s
SUBJECT: %s is comming!
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
Content-Type: audio/x-wav; name="pp.exe"
.idata
.idata
.reloc
.reloc
KERNEL32.dll
KERNEL32.dll
JOIN #.%d
JOIN #.%d
DSTAMP %ddd
DSTAMP %ddd
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
fbibiz.com
fbibiz.com
olmbra.com
olmbra.com
meggay.com
meggay.com
regexy.com
regexy.com
inreos.com
inreos.com
NICK yhzlxkjy
NICK yhzlxkjy
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x *%s
%.6x . . :%c%.8x%x *%s
KERNEL32.DLL
KERNEL32.DLL
windowsupdate
windowsupdate
drweb
drweb
%original file name%.exe_1780_rwx_01001000_00001000:
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
iviewers.dll
IVIEWERS.DLL
IVIEWERS.DLL
Component Categories\%s
Component Categories\%s
comcat.dll
comcat.dll
Comcat.DLL
Comcat.DLL
CLSID\%s
CLSID\%s
%s - %s. By Charlie Kindel,
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'
CoCreateInstance failed using the CLSID for '%s'
taskhost.exe_1940_rwx_00120000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.reloc
.reloc
%original file name%.exe_1780_rwx_0102B000_00019000:
(pL%C#
(pL%C#
$.RB(t
$.RB(t
p.FdZ
p.FdZ
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
%original file name%.exe
%original file name%.exe
.reloc
.reloc
c:\%original file name%.exe
c:\%original file name%.exe
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
4j14/logo.gif
4j14/logo.gif
.info/J
.info/J
home.gifI888
home.gifI888
.text
.text
KERNEL32.dll
KERNEL32.dll
h.rata
h.rata
Bkrnl.exe?
Bkrnl.exe?
= =$=(=,=
= =$=(=,=
322%2`.50728)
322%2`.50728)
.klkjw:9fqwi
.klkjw:9fqwi
FamXf39.sys
FamXf39.sys
.pBTa8
.pBTa8
%s:*:
%s:*:
Bg.laXV
Bg.laXV
&?%x=
&?%x=
GUrlA'
GUrlA'
Web%w|nc
Web%w|nc
HTTP)
HTTP)
2GUARDCMD.
2GUARDCMD.
.ENHCDM
.ENHCDM
PL/KPCKwWEB
PL/KPCKwWEB
MM.PFW.
MM.PFW.
.bssf
.bssf
J:CRT
J:CRT
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
%original file name%.exe_1780_rwx_01048000_00001000:
HELO btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
RCPT TO: %s
FROM: %s@yahoo.com
FROM: %s@yahoo.com
TO: %s
TO: %s
SUBJECT: %s is comming!
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
Content-Type: audio/x-wav; name="pp.exe"
.idata
.idata
.reloc
.reloc
KERNEL32.dll
KERNEL32.dll
%original file name%.exe_1780_rwx_0104E000_00001000:
%DgO$w
%DgO$w
%original file name%.exe_1780_rwx_011B0000_0108E000:
c:\windows
c:\windows
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
C:\Windows\system32\drivers\jpppn.sys
C:\Windows\system32\drivers\jpppn.sys
4239484882
4239484882
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.reloc
.reloc
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
.text
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
h.rdata
h.rdata
H.data
H.data
ntoskrnl.exe
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
ipfltdrv.sys
ipfltdrv.sys
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\amsint32
\\.\amsint32
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
cmdGuard
cmdGuard
cmdAgent
cmdAgent
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
A2CMD.
A2CMD.
ASHWEBSV.
ASHWEBSV.
AVGCC.AVGCHSVX.
AVGCC.AVGCHSVX.
DRWEB
DRWEB
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBSCANX.
WEBSCANX.
.adata
.adata
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
&3&3&3&389
&3&3&3&389
.rdata
.rdata
.data
.data
Bkrnl.exe?
Bkrnl.exe?
= =$=(=,=
= =$=(=,=
322%2`.50728)
322%2`.50728)
.klkjw:9fqwi
.klkjw:9fqwi
FamXf39.sys
FamXf39.sys
.pBTa8
.pBTa8
%s:*:
%s:*:
Bg.laXV
Bg.laXV
&?%x=
&?%x=
GUrlA'
GUrlA'
Web%w|nc
Web%w|nc
HTTP)
HTTP)
2GUARDCMD.
2GUARDCMD.
.ENHCDM
.ENHCDM
PL/KPCKwWEB
PL/KPCKwWEB
MM.PFW.
MM.PFW.
.bssf
.bssf
J:CRT
J:CRT
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
%original file name%.exe_1780_rwx_02870000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.reloc
.reloc
%original file name%.exe_1780_rwx_028C0000_00001000:
Bv%original file name%.exeM_1780_
Bv%original file name%.exeM_1780_
taskhost.exe_1940_rwx_00370000_00001000:
Bvtaskhost.exeM_1940_
Bvtaskhost.exeM_1940_
Dwm.exe_2008_rwx_00090000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.reloc
.reloc
Dwm.exe_2008_rwx_001D0000_00001000:
Bvdwm.exeM_2008_
Bvdwm.exeM_2008_
Explorer.EXE_2024_rwx_01EE0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.reloc
.reloc
Explorer.EXE_2024_rwx_02D60000_00001000:
Bvexplorer.exeM_2024_
Bvexplorer.exeM_2024_
Explorer.EXE_2024_rwx_03A10000_00001000:
C:\Windows\system32\runouce.exe
C:\Windows\system32\runouce.exe
conhost.exe_2520_rwx_001B0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.reloc
.reloc
conhost.exe_2520_rwx_001C0000_00001000:
Bvconhost.exeM_2520_
Bvconhost.exeM_2520_