HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.CryptoWall.3 (B) (Emsisoft), Gen:Heur.CryptoWall.3 (AdAware), Worm.Win32.Dorkbot.FD, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ad69f71c0105b1e8b0747ee08a244bcf
SHA1: 4c343b411ab7c0d36e2c2ee3f2263e368c35ac91
SHA256: 4045996f7733e8022d1c743692e15ccf69f590fa91cd1f00655c9895a34326f0
SSDeep: 6144:RKcKTbQo8K5gnwCHJs9AO7vaqcwRYv7r5Ho2 zeMI1nNzRD9AXWQ8:1cbt8K wCO9daoSO2uwNzx9/t
Size: 386560 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1996-09-29 10:58:06
Analyzed on: Windows7 SP1 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
MSNWorm | A worm can spread its copies through the MSN Messanger. |
DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
calc.exe:2064
mspaint.exe:3000
svchost.exe:2428
csrss.exe:368
winlogon.exe:416
Dwm.exe:2008
taskhost.exe:1940
Explorer.EXE:2024
conhost.exe:3900
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process calc.exe:2064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c731200 (9 bytes)
The process mspaint.exe:3000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes\Dqlqlt.exe (2105 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
Registry activity
The process mspaint.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mspaint_RASAPI32]
"EnableConsoleTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Dqlqlt" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in urlmon.dll:
URLDownloadToFileA
URLDownloadToFileW
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestA
HttpSendRequestW
InternetWriteFile
The Trojan installs the following user-mode hooks in DNSAPI.dll:
DnsQuery_A
DnsQuery_W
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Trojan installs the following user-mode hooks in kernel32.dll:
MoveFileA
MoveFileW
CopyFileA
CreateFileA
CreateFileW
CopyFileW
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
ZwResumeThread
NtQueryDirectoryFile
ZwEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\c731200 (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes\Dqlqlt.exe (2105 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Dqlqlt" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.bss | 4096 | 3008 | 3072 | 1.94864 | 211b26fd79ef045c5696e673ca1b7507 |
.MYCODE | 8192 | 166912 | 166912 | 4.3191 | f0be0350cbbf3dccad61fe171dec7cf3 |
.rdata | 176128 | 56636 | 56832 | 4.43745 | b7cd8298e1e2f764a578e65039de6853 |
.data | 233472 | 131464 | 5632 | 2.41362 | 621f41d28de09dca3fd3c6ca9b48cb75 |
.rsrc | 368640 | 181760 | 153088 | 4.47372 | d465da34c251c8c4eed0be8a59d02972 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
n.jntbxduhz.ru | |
api.wipmania.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_2428:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Host Process for Windows Services
Host Process for Windows Services
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
\PIPE\
Host Process for Windows Services
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
svchost.exe_2428_rwx_00060000_00030000:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
Iw.AEw
Iw.AEw
*windows defender*
*windows defender*
*windowsupdate*
*windowsupdate*
*drweb*
*drweb*
dwwin.exe
dwwin.exe
kernel32.dll
kernel32.dll
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromTcpEntry
%systemroot%
%systemroot%
%programfiles%\Common Files\*\*.exe
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\Windows\*.exe
%appdata%\Microsoft\Windows\*.exe
ole32.dll
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "start %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "start %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\c731200
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
Windows_Shared_Mutex_231_c0009X00
Windows_Shared_Mutex_231_c0009X00
ntdll.dll
ntdll.dll
\ScreenSaverPro.scr
\ScreenSaverPro.scr
\temp.bin
\temp.bin
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
rpcrt4.dll
rpcrt4.dll
netapi32.dll
netapi32.dll
.gonewiththewings
.gonewiththewings
*.exe
*.exe
*.gonewiththewings
*.gonewiththewings
\WindowsUpdate\Updater.exe
\WindowsUpdate\Updater.exe
\Microsoft\Windows
\Microsoft\Windows
%s\Program Files\Common Files
%s\Program Files\Common Files
%s\programdata
%s\programdata
WinExec
WinExec
URLDownloadToFileA
URLDownloadToFileA
hXXp://VVV.google.com
hXXp://VVV.google.com
\calc.exe
\calc.exe
\System32\schtasks.exe
\System32\schtasks.exe
"%s" /query /tn "Windows Updater"
"%s" /query /tn "Windows Updater"
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Debugger" /f
"%s" /delete /tn "Windows Debugger" /f
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update Installer
Windows Update Installer
\WindowsUpdate
\WindowsUpdate
\Updater.exe
\Updater.exe
\Explorer.exe
\Explorer.exe
\Update.exe
\Update.exe
notepad.exe
notepad.exe
msiexec.exe
msiexec.exe
bfsvc.exe
bfsvc.exe
helppane.exe
helppane.exe
hh.exe
hh.exe
regedit.exe
regedit.exe
twunk_16.exe
twunk_16.exe
twunk_32.exe
twunk_32.exe
winhelp.exe
winhelp.exe
winhlp32.exe
winhlp32.exe
write.exe
write.exe
Reader_sl.exe
Reader_sl.exe
mspaint.exe
mspaint.exe
\mspaint.exe
\mspaint.exe
\svchost.exe
\svchost.exe
log.txt
log.txt
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
%s\*.*
%s\*.*
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
\Microsoft\Windows\Themes
\Microsoft\Windows\Themes
\Windows Live
\Windows Live
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s\Recycler
%s\Recycler
WindowsId
WindowsId
Microsoft\Windows\%s
Microsoft\Windows\%s
%s\%s\%s.exe
%s\%s\%s.exe
:Zone.Identifier
:Zone.Identifier
.quarantined
.quarantined
"%s" -shell
"%s" -shell
"%s" -bind
"%s" -bind
userinit.exe
userinit.exe
explorer.exe
explorer.exe
Microsoft\Windows\%
Microsoft\Windows\%
Windows critical error, require reboot
Windows critical error, require reboot
Windows Update
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
?]2596=4?@9]4@>
?]2596=4?@9]4@>
.tlh0
.tlh0
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
SetTcpEntry
SetTcpEntry
SHLWAPI.dll
SHLWAPI.dll
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
smss.exe
smss.exe
csrss.exe
csrss.exe
winlogon.exe
winlogon.exe
services.exe
services.exe
lsass.exe
lsass.exe
spoolsv.exe
spoolsv.exe
rundll32.exe
rundll32.exe
alg.exe
alg.exe
iexplore.exe
iexplore.exe
svchost.exe
svchost.exe
WindowsMark
WindowsMark
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate
C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Live
C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Live
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
.TBvC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes
.TBvC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0A
tlSSSSSSSSSShL0A
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
%s_%d
%s_%d
-%sMutex
-%sMutex
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
URLDownloadToFileW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
7 767
7 767
8*808;8~8
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
shlwapi.dll
crypt32.dll
crypt32.dll
wtsapi32.dll
wtsapi32.dll
samcli.dll
samcli.dll
netutils.dll
netutils.dll
userenv.dll
userenv.dll
WindowsSecondaryDesktop
WindowsSecondaryDesktop
\charmap.exe
\charmap.exe
\Windows Media Player\wmprph.exe
\Windows Media Player\wmprph.exe
c:\%original file name%.exe
c:\%original file name%.exe
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
Aadvapi32.dll
Aadvapi32.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
svchost.exe_2428_rwx_001F0000_00030000:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
Iw.AEw
Iw.AEw
*windows defender*
*windows defender*
*windowsupdate*
*windowsupdate*
*drweb*
*drweb*
dwwin.exe
dwwin.exe
kernel32.dll
kernel32.dll
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromTcpEntry
%systemroot%
%systemroot%
%programfiles%\Common Files\*\*.exe
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\Windows\*.exe
%appdata%\Microsoft\Windows\*.exe
ole32.dll
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "start %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "start %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\c731200
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
Windows_Shared_Mutex_231_c0009X00
Windows_Shared_Mutex_231_c0009X00
ntdll.dll
ntdll.dll
\ScreenSaverPro.scr
\ScreenSaverPro.scr
\temp.bin
\temp.bin
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
rpcrt4.dll
rpcrt4.dll
netapi32.dll
netapi32.dll
.gonewiththewings
.gonewiththewings
*.exe
*.exe
*.gonewiththewings
*.gonewiththewings
\WindowsUpdate\Updater.exe
\WindowsUpdate\Updater.exe
\Microsoft\Windows
\Microsoft\Windows
%s\Program Files\Common Files
%s\Program Files\Common Files
%s\programdata
%s\programdata
WinExec
WinExec
URLDownloadToFileA
URLDownloadToFileA
hXXp://VVV.google.com
hXXp://VVV.google.com
\calc.exe
\calc.exe
\System32\schtasks.exe
\System32\schtasks.exe
"%s" /query /tn "Windows Updater"
"%s" /query /tn "Windows Updater"
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Debugger" /f
"%s" /delete /tn "Windows Debugger" /f
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update Installer
Windows Update Installer
\WindowsUpdate
\WindowsUpdate
\Updater.exe
\Updater.exe
\Explorer.exe
\Explorer.exe
\Update.exe
\Update.exe
notepad.exe
notepad.exe
msiexec.exe
msiexec.exe
bfsvc.exe
bfsvc.exe
helppane.exe
helppane.exe
hh.exe
hh.exe
regedit.exe
regedit.exe
twunk_16.exe
twunk_16.exe
twunk_32.exe
twunk_32.exe
winhelp.exe
winhelp.exe
winhlp32.exe
winhlp32.exe
write.exe
write.exe
Reader_sl.exe
Reader_sl.exe
mspaint.exe
mspaint.exe
\mspaint.exe
\mspaint.exe
\svchost.exe
\svchost.exe
log.txt
log.txt
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
%s\*.*
%s\*.*
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
\Microsoft\Windows\Themes
\Microsoft\Windows\Themes
\Windows Live
\Windows Live
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s\Recycler
%s\Recycler
WindowsId
WindowsId
Microsoft\Windows\%s
Microsoft\Windows\%s
%s\%s\%s.exe
%s\%s\%s.exe
:Zone.Identifier
:Zone.Identifier
.quarantined
.quarantined
"%s" -shell
"%s" -shell
"%s" -bind
"%s" -bind
userinit.exe
userinit.exe
explorer.exe
explorer.exe
Microsoft\Windows\%
Microsoft\Windows\%
Windows critical error, require reboot
Windows critical error, require reboot
Windows Update
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
?]2596=4?@9]4@>
?]2596=4?@9]4@>
.tlh0
.tlh0
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
SetTcpEntry
SetTcpEntry
SHLWAPI.dll
SHLWAPI.dll
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
smss.exe
smss.exe
csrss.exe
csrss.exe
winlogon.exe
winlogon.exe
services.exe
services.exe
lsass.exe
lsass.exe
spoolsv.exe
spoolsv.exe
rundll32.exe
rundll32.exe
alg.exe
alg.exe
iexplore.exe
iexplore.exe
svchost.exe
svchost.exe
WindowsMark
WindowsMark
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate
C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Live
C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Live
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
.TBvC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes
.TBvC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0A
tlSSSSSSSSSShL0A
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
%s_%d
%s_%d
-%sMutex
-%sMutex
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
URLDownloadToFileW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
7 767
7 767
8*808;8~8
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
shlwapi.dll
crypt32.dll
crypt32.dll
wtsapi32.dll
wtsapi32.dll
samcli.dll
samcli.dll
netutils.dll
netutils.dll
userenv.dll
userenv.dll
WindowsSecondaryDesktop
WindowsSecondaryDesktop
\charmap.exe
\charmap.exe
\Windows Media Player\wmprph.exe
\Windows Media Player\wmprph.exe
c:\%original file name%.exe
c:\%original file name%.exe
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
Aadvapi32.dll
Aadvapi32.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
svchost.exe_2428_rwx_01310000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL02
tlSSSSSSSSSShL02
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate\Updater.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate\Updater.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\c731200
C:\Users\"%CurrentUserName%"\AppData\Roaming\c731200
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\svchost.exe
\Device\HarddiskVolume1\Windows\System32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
calc.exe_2064:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
gdiplus.dll
gdiplus.dll
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
OLEAUT32.dll
OLEAUT32.dll
UxTheme.dll
UxTheme.dll
ole32.dll
ole32.dll
COMCTL32.dll
COMCTL32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RPCRT4.dll
RPCRT4.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
GDI32.dll
GDI32.dll
msvcrt.dll
msvcrt.dll
Av.TBv
Av.TBv
j.KXK
j.KXK
FTPWSjr
FTPWSjr
FtPWSjP
FtPWSjP
SSShG
SSShG
.u&SSh
.u&SSh
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
WindowsCodecs.dll
WindowsCodecs.dll
ntdll.dll
ntdll.dll
ShellExecuteExW
ShellExecuteExW
GdiplusShutdown
GdiplusShutdown
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
GetProcessHeap
GetProcessHeap
EnumChildWindows
EnumChildWindows
EnumDesktopWindows
EnumDesktopWindows
GetKeyState
GetKeyState
__crtGetStringTypeW
__crtGetStringTypeW
__crtLCMapStringW
__crtLCMapStringW
_acmdln
_acmdln
_amsg_exit
_amsg_exit
calc.pdb
calc.pdb
name="Microsoft.Windows.Shell.calc"
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
KEYWp
KEYWp
>6441111,5
>6441111,5
.Zu,]
.Zu,]
>z.jO`
>z.jO`
.nsEm
.nsEm
5Url]GOqE
5Url]GOqE
6"%CM
6"%CM
B
B
W.Ft6#
W.Ft6#
9 9(9-949@9
9 9(9-949@9
5(5.575=5
5(5.575=5
9Â9x9
9Â9x9
; ;%; ;1;
; ;%; ;1;
5%5S5
5%5S5
^[\ \-]?{\d*}\%c?{\d*}(e[\ \-]?{\d*})?\b*$
^[\ \-]?{\d*}\%c?{\d*}(e[\ \-]?{\d*})?\b*$
USER32.DLL
USER32.DLL
hXXp://VVV.microsoft.com/applets/calc/templates/v1
hXXp://VVV.microsoft.com/applets/calc/templates/v1
xmlns:calcTemplate='hXXp://VVV.microsoft.com/applets/calc/templates/v1'
xmlns:calcTemplate='hXXp://VVV.microsoft.com/applets/calc/templates/v1'
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\sppsvc.exe
\slui.exe
\slui.exe
\sppuinotify.dll
\sppuinotify.dll
imageres.dll
imageres.dll
datetime_operation
datetime_operation
Software\Microsoft\Windows\CurrentVersion\Applets\
Software\Microsoft\Windows\CurrentVersion\Applets\
mshelp://windows/?id=f15f7d3e-ee9c-465a-a7e8-4e6af5cfee5d
mshelp://windows/?id=f15f7d3e-ee9c-465a-a7e8-4e6af5cfee5d
ErrorCode: %d, Line: %d Column: %d; Error: %s
ErrorCode: %d, Line: %d Column: %d; Error: %s
^{[\ \-]?}{\d*\%c?\d*}({e}[\ \-]?{\d*})?$
^{[\ \-]?}{\d*\%c?\d*}({e}[\ \-]?{\d*})?$
kernel32.dll
kernel32.dll
Microsoft-Windows-Calculator/Diagnostic
Microsoft-Windows-Calculator/Diagnostic
Microsoft-Windows-Calculator/Debug
Microsoft-Windows-Calculator/Debug
Windows Calculator
Windows Calculator
6.1.7601.17514 (win7sp1_rtm.101119-1850)
6.1.7601.17514 (win7sp1_rtm.101119-1850)
CALC.EXE
CALC.EXE
Windows
Windows
Operating System
Operating System
6.1.7601.17514
6.1.7601.17514
calc.exe_2064_rwx_00060000_00002000:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
534733077
534733077
vnawc.exe
vnawc.exe
p730q.exe
p730q.exe
il1bf.exe
il1bf.exe
axvzm.exe
axvzm.exe
p4k5e.exe
p4k5e.exe
ovo6d.exe
ovo6d.exe
ndlhn.exe
ndlhn.exe
nuyk2.exe
nuyk2.exe
etnw3.exe
etnw3.exe
rrwnq.exe
rrwnq.exe
shfj6.exe
shfj6.exe
ytnkr.exe
ytnkr.exe
8n8tp.exe
8n8tp.exe
vy8oq.exe
vy8oq.exe
6r0q4.exe
6r0q4.exe
okfzp.exe
okfzp.exe
b2uhu.exe
b2uhu.exe
mnru0.exe
mnru0.exe
ybjkn.exe
ybjkn.exe
k6h4m.exe
k6h4m.exe
user32.dll
user32.dll
urlmon.dll
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
wininet.dll
wininet.dll
hXXp://VVV.google.com
hXXp://VVV.google.com
calc.exe_2064_rwx_011D0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\calc.exe
\Device\HarddiskVolume1\Windows\System32\calc.exe
#C:\Windows\system32\calc.exe
#C:\Windows\system32\calc.exe
c:\%original file name%.exe
c:\%original file name%.exe
mspaint.exe_3000:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
MFC42u.dll
MFC42u.dll
msvcrt.dll
msvcrt.dll
COMDLG32.dll
COMDLG32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
PROPSYS.dll
PROPSYS.dll
RPCRT4.dll
RPCRT4.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
Bv.TBv
Bv.TBv
%s#IZ
%s#IZ
j SSSSSSSh
j SSSSSSSh
t;Ht.Ht!Ht
t;Ht.Ht!Ht
COMDLG32.DLL
COMDLG32.DLL
SSSSh
SSSSh
@t8HHt.Ht&Ht
@t8HHt.Ht&Ht
JtmJtXJtCJt.Jt
JtmJtXJtCJt.Jt
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
Ht\HtEHt.Ht
Ht\HtEHt.Ht
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
GdipSetPenLineJoin
GdipSetPenLineJoin
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
GetProcessHeap
GetProcessHeap
SetViewportExtEx
SetViewportExtEx
GetKeyboardLayout
GetKeyboardLayout
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetKeyState
GetKeyState
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
__crtLCMapStringW
__crtLCMapStringW
__crtGetStringTypeW
__crtGetStringTypeW
ShellExecuteExW
ShellExecuteExW
mspaint.pdb
mspaint.pdb
.PAVCObject@@
.PAVCObject@@
.PAVCException@@
.PAVCException@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCDummyCmdUI@@
.?AVCDummyCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCOperation@@
.?AVCOperation@@
.?AVCDrawAutoShapeOperation@@
.?AVCDrawAutoShapeOperation@@
.?AVCDrawShapeOperation@@
.?AVCDrawShapeOperation@@
.?AVCOperationStockImpl@@
.?AVCOperationStockImpl@@
.?AVCDrawRectAutoShapeOperation@@
.?AVCDrawRectAutoShapeOperation@@
.?AVCDrawPolygonOperation@@
.?AVCDrawPolygonOperation@@
.?AVCDrawBezierOperation@@
.?AVCDrawBezierOperation@@
.?AVCDrawLineOperation@@
.?AVCDrawLineOperation@@
.?AVCDrawStrokeOperation@@
.?AVCDrawStrokeOperation@@
.?AV?$CComObject@VCRTSPacketHandler@@@ATL@@
.?AV?$CComObject@VCRTSPacketHandler@@@ATL@@
.?AVCRTSPacketHandler@@
.?AVCRTSPacketHandler@@
.?AV?$StylusPluginImpl@UIStylusAsyncPlugin@@VCRTSPacketHandler@@@@
.?AV?$StylusPluginImpl@UIStylusAsyncPlugin@@VCRTSPacketHandler@@@@
.?AVCRTSStylusHandler@@
.?AVCRTSStylusHandler@@
name="Microsoft.Windows.Shell.mspaint"
name="Microsoft.Windows.Shell.mspaint"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
KEYW
KEYW
3993831$5
3993831$5
lb_BB-%F
lb_BB-%F
e&;%fn
e&;%fn
Þp`,
Þp`,
.ET.0y
.ET.0y
.pppF
.pppF
/888 888
/888 888
>888)888
>888)888
9888#888
9888#888
888ˆ8/
888ˆ8/
888!888)8881
888!888)8881
888 888$888)88808884
888 888$888)88808884
3888(888
3888(888
7888&888
7888&888
888 888(8881
888 888(8881
888#888(888/8883
888#888(888/8883
>888;88878887888:
>888;88878887888:
2229222
2229222
2220222
2220222
888 888ˆ8 8881
888 888ˆ8 8881
9%%$"555
9%%$"555
6"#"5,, '556
6"#"5,, '556
P&&&M,, I223F999B@@@
P&&&M,, I223F999B@@@
$%%f f112f888f???fFFFeNMMcUUU`\\\[edeSlllHttt>|||1
$%%f f112f888f???fFFFeNMMcUUU`\\\[edeSlllHttt>|||1
Paint.NET v3.36
Paint.NET v3.36
.iu[mr
.iu[mr
hn/.nzu
hn/.nzu
.zD.k
.zD.k
.pnye%
.pnye%
y9>>.GGG
y9>>.GGG
x<.ggg>
x<.ggg>
g9>>.www]
g9>>.www]
x-|.Nh
x-|.Nh
%.WEn\
%.WEn\
%xE.h
%xE.h
dz.yqI
dz.yqI
1.WI[
1.WI[
73.ZW/
73.ZW/
u.WL*
u.WL*
3twwW...
3twwW...
=.AAZ
=.AAZ
;%CMn
;%CMn
$8z^.aUJ.;]
$8z^.aUJ.;]
L0.vvv
L0.vvv
.teaD#
.teaD#
Hq.vX=
Hq.vX=
9;
9;
%F&%}
%F&%}
L%xQ*S
L%xQ*S
qnn.VVV
qnn.VVV
Z&.NOOG
Z&.NOOG
!nnn.noo
!nnn.noo
.Jdjr9jH
.Jdjr9jH
l.nY:
l.nY:
fs.ONN
fs.ONN
.KIRn
.KIRn
b .dA)
b .dA)
t%xg?
t%xg?
.PV"8!h H
.PV"8!h H
%s899
%s899
.KM/--
.KM/--
6>t%X
6>t%X
...lww
...lww
-\|%U
-\|%U
u_U%X
u_U%X
.VVV|
.VVV|
~,..fq
~,..fq
/..fo
/..fo
j[^^.xA
j[^^.xA
Q3%x2
Q3%x2
aSSS!.DC
aSSS!.DC
\.gL1
\.gL1
xiA.Hs
xiA.Hs
W^y%...bkk
W^y%...bkk
_.do>
_.do>
VP%s7,
VP%s7,
p.TG@
p.TG@
'''.MMy
'''.MMy
.IIeJ
.IIeJ
D%uPT]
D%uPT]
JÿFp8
JÿFp8
\.zzz
\.zzz
.Egyy9
.Egyy9
%%%XXX
%%%XXX
$%s}}
$%s}}
$;;;1::*
$;;;1::*
aYsssH
aYsssH
fhI)..FYY
fhI)..FYY
8a ..FEE
8a ..FEE
3>..NR
3>..NR
SSSHKK
SSSHKK
.FGGQ[[
.FGGQ[[
\.looK
\.looK
$.UVV
$.UVV
\.LOOcaa
\.LOOcaa
.yeeE.
.yeeE.
x.%DQb
x.%DQb
.lmm)
.lmm)
(..VL
(..VL
(..VH
(..VH
.ZYYQ
.ZYYQ
;L!%C
;L!%C
^/..Fgg
^/..Fgg
QUU%C
QUU%C
J*..FYY
J*..FYY
%2SSS
%2SSS
.KTN"
.KTN"
.XPP (
.XPP (
)B!.Qh
)B!.Qh
Enn.ZZZD#
Enn.ZZZD#
7x.lllHp
7x.lllHp
x.ND
x.ND
x<.jg>
x<.jg>
J%ciR
J%ciR
W_}%S
W_}%S
Ynn.VWW%
Ynn.VWW%
S^^.UfVV
S^^.UfVV
sssHOO
sssHOO
\.TVV"''GC;
\.TVV"''GC;
.f.FZZ
.f.FZZ
Nnn.jjjT
Nnn.jjjT
#QJ.Xl
#QJ.Xl
sG.Tz
sG.Tz
O=>>.AD
O=>>.AD
mnn.ZZZd
mnn.ZZZd
* %x
* %x
d.TWW
d.TWW
(..Fvv
(..Fvv
\.TVV
\.TVV
g%%%x
g%%%x
$j[x.Qm
$j[x.Qm
sssHII
sssHII
sssHLL
sssHLL
-..bnn
-..bnn
\.ddd
\.ddd
\.LOO#33
\.LOO#33
.yeeEv
.yeeEv
BhjjBeeÿfPPP
BhjjBeeÿfPPP
.TWWC
.TWWC
(..FSS
(..FSS
.aV6q
.aV6q
T*%cY
T*%cY
WwwwW.
WwwwW.
%2uxx(
%2uxx(
*&&&0
*&&&0
_.ZlxI
_.ZlxI
-Qe}tt
-Qe}tt
P,0%%%X\\
P,0%%%X\\
3a.nN
3a.nN
.loo
.loo
ÚZV,
ÚZV,
..FQQ
..FQQ
@,..biiI
@,..biiI
.bK>?
.bK>?
.whQQ
.whQQ
u,..bkk
u,..bkk
.ED|/I
.ED|/I
-.fff
-.fff
AOO%s
AOO%s
677199)/7
677199)/7
9,..btt
9,..btt
jEnn.FFF
jEnn.FFF
ssshhh
ssshhh
'##C%C
'##C%C
{{{%8:88
{{{%8:88
.gff$B
.gff$B
^.wmrW'
^.wmrW'
:9&&&066
:9&&&066
Z[[%C$
Z[[%C$
\.LNN
\.LNN
hToo/FGG%C
hToo/FGG%C
.JKKQUU
.JKKQUU
FM.yYY
FM.yYY
.UUU"
.UUU"
\.gnn
\.gnn
\.gkk
\.gkk
\.vvvP
\.vvvP
\.GGG
\.GGG
\.Gzz:s
\.Gzz:s
-..bee
-..bee
\.dgg#77
\.dgg#77
,..rAK
,..rAK
ssshnnf6t~~>^
ssshnnf6t~~>^
,..fQZ0
,..fQZ0
Jÿf
Jÿf
Bee%u
Bee%u
Z-fggq}}M
Z-fggq}}M
U)..Fjj
U)..Fjj
.xR(/--
.xR(/--
\.lll 55
\.lll 55
[[[(..FEE
[[[(..FEE
(..Fii)
(..Fii)
HMM%.U 3
HMM%.U 3
...prr
...prr
...pqq
...pqq
\.gD6
\.gD6
Ajf%c
Ajf%c
(..Fee%
(..Fee%
\.LLL
\.LLL
.pS#qD
.pS#qD
%X!|NNNrJ*
%X!|NNNrJ*
\.Ggg
\.Ggg
-= (**
-= (**
C:\T*
C:\T*
J%fgg
J%fgg
=)..Fnn
=)..Fnn
sssH$
sssH$
KKKQ^^.IV
KKKQ^^.IV
...PTT
...PTT
...PSS
...PSS
sl!.JT
sl!.JT
sssHKK
sssHKK
\.LOO#//
\.LOO#//
uÃŒc(((
uÃŒc(((
I,..rQ
I,..rQ
\.Gzz:
\.Gzz:
\.TWWcxx
\.TWWcxx
J%FGG9
J%FGG9
gx4.jiiAEE
gx4.jiiAEE
sssHJJ
sssHJJ
ZQsssHHH@$
ZQsssHHH@$
`.zEE
`.zEE
d2,..bvv
d2,..bvv
XZZBnn.VWW
XZZBnn.VWW
hkkCoo/%D
hkkCoo/%D
,..bdd
,..bdd
La ..Fyy9
La ..Fyy9
]]](((@
]]](((@
E,..bee
E,..bee
A,..boo
A,..boo
(..fqXnn.
(..fqXnn.
...PUU
...PUU
%Unrr
%Unrr
...RD
...RD
hr.PX
hr.PX
(..ft133
(..ft133
(..fu
(..fu
,..bee
,..bee
B4?...Rb
B4?...Rb
q,..bpp
q,..bpp
...frB
...frB
\.twwcdd
\.twwcdd
g.vOO
g.vOO
SSShhh
SSShhh
N.ZZZ
N.ZZZ
N4.GGG
N4.GGG
(..Fee
(..Fee
}A.dJ
}A.dJ
B%Duo2
B%Duo2
ssshll
ssshll
Qnn.VVV
Qnn.VVV
/.myq
/.myq
Onn.rss
Onn.rss
Cnn.VWW
Cnn.VWW
q.Hl}
q.Hl}
888@}}=._
888@}}=._
(..FCC
(..FCC
\.Gaa!
\.Gaa!
.TUUq
.TUUq
"/..fh
"/..fh
.RSS111
.RSS111
RvÞe
RvÞe
4.rgddd@
4.rgddd@
MceeÃ’
MceeÃ’
,R.Sw
,R.Sw
%Mgr.RhY4RfE5Qd:5w
%Mgr.RhY4RfE5Qd:5w
y'MfR Og>-Qh".Sj
y'MfR Og>-Qh".Sj
Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf
Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf
Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe
Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe
.CFHSW\`}{
.CFHSW\`}{
poq.uuv
poq.uuv
ppq.qpq
ppq.qpq
{Q.JqK*
{Q.JqK*
|R.vuN,
|R.vuN,
dB%sb@$
dB%sb@$
mH('iE'$fC&Û% b@$p`?#
mH('iE'$fC&Û% b@$p`?#
dB%ubA$
dB%ubA$
{R.VxO-
{R.VxO-
|R.cvN,
|R.cvN,
8)9/959:9}9
8)9/959:9}9
:&;,;0;4;
:&;,;0;4;
7,707…8
7,707…8
7u7D7L7`7f7k7q7w7~7
7u7D7L7`7f7k7q7w7~7
8 8$8(8,808
8 8$8(8,808
: :$:(:,:0:4:8:
: :$:(:,:0:4:8:
3=3p3
3=3p3
2 2$2(2,2024282
2 2$2(2,2024282
7Â8K8n8
7Â8K8n8
$040]0{0
$040]0{0
? ?8?`?|?
? ?8?`?|?
Microsoft\Windows\CurrentVersion\Applets
Microsoft\Windows\CurrentVersion\Applets
MSFTEDIT.DLL
MSFTEDIT.DLL
Software\Microsoft\Windows\CurrentVersion\Applets\
Software\Microsoft\Windows\CurrentVersion\Applets\
gdi32.dll
gdi32.dll
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\sppsvc.exe
\slui.exe
\slui.exe
\sppuinotify.dll
\sppuinotify.dll
%u%su
%u%su
mshelp://windows/?id=379810ee-75d9-4d02-a3b9-68cad94146aa
mshelp://windows/?id=379810ee-75d9-4d02-a3b9-68cad94146aa
DataCallback: Reason=%d Stat=%d %$=%d Offset=%d Length=%d Buf=%p
DataCallback: Reason=%d Stat=%d %$=%d Offset=%d Length=%d Buf=%p
CoGetInterfaceAndReleaseStream HRESULT=x
CoGetInterfaceAndReleaseStream HRESULT=x
CoInitialize HRESULT=x
CoInitialize HRESULT=x
CreateThread LastError=x
CreateThread LastError=x
idtGetBandedData HRESULT=x
idtGetBandedData HRESULT=x
WriteMultiple HRESULT=x
WriteMultiple HRESULT=x
DeviceDlg HRESULT=x
DeviceDlg HRESULT=x
SelectDeviceDlg HRESULT=x
SelectDeviceDlg HRESULT=x
Software\%s\%s\%s
Software\%s\%s\%s
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-MSPaint/Admin
Microsoft-Windows-MSPaint/Diagnostic
Microsoft-Windows-MSPaint/Diagnostic
Microsoft-Windows-MSPaint/Debug
Microsoft-Windows-MSPaint/Debug
Save operation result
Save operation result
Resize skew Operation result
Resize skew Operation result
FlipOperation
FlipOperation
RotateOperation
RotateOperation
CropOperation
CropOperation
InvertColorOperation
InvertColorOperation
ResizeSkewOperation
ResizeSkewOperation
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
MSPAINT.EXE
MSPAINT.EXE
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
mspaint.exe_3000_rwx_00060000_00030000:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
Iw.AEw
Iw.AEw
*windows defender*
*windows defender*
*windowsupdate*
*windowsupdate*
*drweb*
*drweb*
dwwin.exe
dwwin.exe
kernel32.dll
kernel32.dll
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromTcpEntry
%systemroot%
%systemroot%
%programfiles%\Common Files\*\*.exe
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\Windows\*.exe
%appdata%\Microsoft\Windows\*.exe
ole32.dll
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "%%SystemRoot%%\explorer.exe %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "start %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
/c "start %Ã%%%s & attrib -s -h %Ã%%%s & xcopy /F /S /Q /H /R /Y %Ã%%%s %%temp%%\%s\ & attrib s h %Ã%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\c731200
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
Windows_Shared_Mutex_231_c0009X00
Windows_Shared_Mutex_231_c0009X00
ntdll.dll
ntdll.dll
\ScreenSaverPro.scr
\ScreenSaverPro.scr
\temp.bin
\temp.bin
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
rpcrt4.dll
rpcrt4.dll
netapi32.dll
netapi32.dll
.gonewiththewings
.gonewiththewings
*.exe
*.exe
*.gonewiththewings
*.gonewiththewings
\WindowsUpdate\Updater.exe
\WindowsUpdate\Updater.exe
\Microsoft\Windows
\Microsoft\Windows
%s\Program Files\Common Files
%s\Program Files\Common Files
%s\programdata
%s\programdata
WinExec
WinExec
URLDownloadToFileA
URLDownloadToFileA
hXXp://VVV.google.com
hXXp://VVV.google.com
\calc.exe
\calc.exe
\System32\schtasks.exe
\System32\schtasks.exe
"%s" /query /tn "Windows Updater"
"%s" /query /tn "Windows Updater"
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Debugger" /f
"%s" /delete /tn "Windows Debugger" /f
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update Installer
Windows Update Installer
\WindowsUpdate
\WindowsUpdate
\Updater.exe
\Updater.exe
\Explorer.exe
\Explorer.exe
\Update.exe
\Update.exe
notepad.exe
notepad.exe
msiexec.exe
msiexec.exe
bfsvc.exe
bfsvc.exe
helppane.exe
helppane.exe
hh.exe
hh.exe
regedit.exe
regedit.exe
twunk_16.exe
twunk_16.exe
twunk_32.exe
twunk_32.exe
winhelp.exe
winhelp.exe
winhlp32.exe
winhlp32.exe
write.exe
write.exe
Reader_sl.exe
Reader_sl.exe
mspaint.exe
mspaint.exe
\mspaint.exe
\mspaint.exe
\svchost.exe
\svchost.exe
log.txt
log.txt
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
%s\*.*
%s\*.*
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
\Microsoft\Windows\Themes
\Microsoft\Windows\Themes
\Windows Live
\Windows Live
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s\Recycler
%s\Recycler
WindowsId
WindowsId
Microsoft\Windows\%s
Microsoft\Windows\%s
%s\%s\%s.exe
%s\%s\%s.exe
:Zone.Identifier
:Zone.Identifier
.quarantined
.quarantined
"%s" -shell
"%s" -shell
"%s" -bind
"%s" -bind
userinit.exe
userinit.exe
explorer.exe
explorer.exe
Microsoft\Windows\%
Microsoft\Windows\%
Windows critical error, require reboot
Windows critical error, require reboot
Windows Update
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
n.lotys.ru
n.lotys.ru
n.jntbxduhz.ru
n.jntbxduhz.ru
n.hmiblgoja.ru
n.hmiblgoja.ru
n.ezjhyxxbf.ru
n.ezjhyxxbf.ru
n.yqqufklho.ru
n.yqqufklho.ru
n.vbemnggcj.ru
n.vbemnggcj.ru
n.yxntnyrap.ru
n.yxntnyrap.ru
n.oceardpku.ru
n.oceardpku.ru
n.zhgcuntif.ru
n.zhgcuntif.ru
n.jupoofsnc.ru
n.jupoofsnc.ru
n.aoyylwyxd.ru
n.aoyylwyxd.ru
n.kvupdstwh.ru
n.kvupdstwh.ru
n.spgpemwqk.ru
n.spgpemwqk.ru
n.zhjdwkpaz.ru
n.zhjdwkpaz.ru
n.dclhmfkcb.ru
n.dclhmfkcb.ru
n.yugypkhvl.ru
n.yugypkhvl.ru
n.srobpranm.ru
n.srobpranm.ru
n.zccgyxwfa.ru
n.zccgyxwfa.ru
n.lgcpogvly.ru
n.lgcpogvly.ru
n.mqjcctzdu.ru
n.mqjcctzdu.ru
n.jthxriotb.ru
n.jthxriotb.ru
n.eoifjgjxl.ru
n.eoifjgjxl.ru
n.mmhjrarii.ru
n.mmhjrarii.ru
n.lurgcdqwk.ru
n.lurgcdqwk.ru
n.adkxlenod.ru
n.adkxlenod.ru
n.lumzwlhum.ru
n.lumzwlhum.ru
n.spdsazjaj.ru
n.spdsazjaj.ru
n.rzyyjafvk.ru
n.rzyyjafvk.ru
n.orvjwcvqt.ru
n.orvjwcvqt.ru
n.nikejqiis.ru
n.nikejqiis.ru
n.uhwumfxht.ru
n.uhwumfxht.ru
n.gznzenuve.ru
n.gznzenuve.ru
n.ipdcuzrbj.ru
n.ipdcuzrbj.ru
n.axitdflcr.ru
n.axitdflcr.ru
n.gbckjrrzu.ru
n.gbckjrrzu.ru
n.kntrejzkq.ru
n.kntrejzkq.ru
n.srxkwklks.ru
n.srxkwklks.ru
n.knyszaijv.ru
n.knyszaijv.ru
n.yjeuatihg.ru
n.yjeuatihg.ru
n.zgfvfhtli.ru
n.zgfvfhtli.ru
n.hceymatul.ru
n.hceymatul.ru
n.xiabhaoii.ru
n.xiabhaoii.ru
n.oysaqcxbi.ru
n.oysaqcxbi.ru
n.raqimfebe.ru
n.raqimfebe.ru
n.kbwuxntle.ru
n.kbwuxntle.ru
n.xcuygznmk.ru
n.xcuygznmk.ru
n.fxazudqiv.ru
n.fxazudqiv.ru
n.keqenlhsc.ru
n.keqenlhsc.ru
n.hpufkdrqr.ru
n.hpufkdrqr.ru
n.yfxmjmbpd.ru
n.yfxmjmbpd.ru
n.wbakrhdqe.ru
n.wbakrhdqe.ru
n.fxagapbcw.ru
n.fxagapbcw.ru
n.bkgywvtsx.ru
n.bkgywvtsx.ru
n.zervwpzra.ru
n.zervwpzra.ru
n.akyjwkkqj.ru
n.akyjwkkqj.ru
n.heiylmruc.ru
n.heiylmruc.ru
n.yothepdgz.ru
n.yothepdgz.ru
n.jqltfflhx.ru
n.jqltfflhx.ru
n.gbfelbdjz.ru
n.gbfelbdjz.ru
n.sjkguntum.ru
n.sjkguntum.ru
n.lxbluoryz.ru
n.lxbluoryz.ru
n.khqrqoqoe.ru
n.khqrqoqoe.ru
n.lujjeazun.ru
n.lujjeazun.ru
n.votjsbqxi.ru
n.votjsbqxi.ru
n.whukpjket.ru
n.whukpjket.ru
n.jspowmxsl.ru
n.jspowmxsl.ru
n.bhsbqjysh.ru
n.bhsbqjysh.ru
n.epbdyornt.ru
n.epbdyornt.ru
n.iclcakajd.ru
n.iclcakajd.ru
n.lbxfqfcxj.ru
n.lbxfqfcxj.ru
n.zdxappufr.ru
n.zdxappufr.ru
n.wxvwsagfj.ru
n.wxvwsagfj.ru
n.phbndvdsy.ru
n.phbndvdsy.ru
n.gxltnbgks.ru
n.gxltnbgks.ru
n.jveblfxqs.ru
n.jveblfxqs.ru
n.cfqqxfduf.ru
n.cfqqxfduf.ru
n.bjadvjfdx.ru
n.bjadvjfdx.ru
n.ggxvmjwgy.ru
n.ggxvmjwgy.ru
n.avebiwdbf.ru
n.avebiwdbf.ru
n.jractocvx.ru
n.jractocvx.ru
n.srcbrtetb.ru
n.srcbrtetb.ru
n.tekwkrsll.ru
n.tekwkrsll.ru
n.hbukvpirg.ru
n.hbukvpirg.ru
n.rpbzpxiyg.ru
n.rpbzpxiyg.ru
n.cdtclxicx.ru
n.cdtclxicx.ru
n.cjwxfmimx.ru
n.cjwxfmimx.ru
n.sabqauqxz.ru
n.sabqauqxz.ru
n.ysmilxqbp.ru
n.ysmilxqbp.ru
n.oaclzemyh.ru
n.oaclzemyh.ru
n.sokjrsoge.ru
n.sokjrsoge.ru
n.rqbupminx.ru
n.rqbupminx.ru
n.tsmdeqpxz.ru
n.tsmdeqpxz.ru
n.uqeuhlpbo.ru
n.uqeuhlpbo.ru
n.owjbbpdam.ru
n.owjbbpdam.ru
n.zjadtsvrd.ru
n.zjadtsvrd.ru
n.cusviecqs.ru
n.cusviecqs.ru
n.plrbchand.ru
n.plrbchand.ru
n.zqpkvolqc.ru
n.zqpkvolqc.ru
n.qktjrlxil.ru
n.qktjrlxil.ru
n.xyxbbuxhw.ru
n.xyxbbuxhw.ru
n.nnzykujty.ru
n.nnzykujty.ru
n.elnytydma.com
n.elnytydma.com
n.mrjwqrvhe.com
n.mrjwqrvhe.com
n.nmdlqnsqv.com
n.nmdlqnsqv.com
n.eoxhxlxax.com
n.eoxhxlxax.com
n.kpypmhotd.com
n.kpypmhotd.com
n.iegvyabpm.com
n.iegvyabpm.com
n.vvspbjbsj.com
n.vvspbjbsj.com
n.rejtobfsz.com
n.rejtobfsz.com
n.kyhoimuag.com
n.kyhoimuag.com
n.nfjmrolyt.com
n.nfjmrolyt.com
n.zfluvuuez.com
n.zfluvuuez.com
n.krpjpyuvr.com
n.krpjpyuvr.com
n.jijvoiiqf.com
n.jijvoiiqf.com
n.pszpnkbib.com
n.pszpnkbib.com
n.zhlhvgfpj.com
n.zhlhvgfpj.com
n.mvhrrpbab.com
n.mvhrrpbab.com
n.xqbwkgtli.com
n.xqbwkgtli.com
n.yykzejasl.com
n.yykzejasl.com
n.uafvkahxq.com
n.uafvkahxq.com
n.onnaznfpi.com
n.onnaznfpi.com
n.bvjbygkhq.com
n.bvjbygkhq.com
n.celujntse.com
n.celujntse.com
n.nothauweh.com
n.nothauweh.com
n.bffihxjxo.com
n.bffihxjxo.com
n.onqxlsjsu.com
n.onqxlsjsu.com
n.nzebzahio.com
n.nzebzahio.com
n.ylbotqjmk.com
n.ylbotqjmk.com
n.cbceluvnf.com
n.cbceluvnf.com
n.gurvnrthi.com
n.gurvnrthi.com
n.ckcwacpts.com
n.ckcwacpts.com
n.irhwtkyov.com
n.irhwtkyov.com
n.wnkgkwbbb.com
n.wnkgkwbbb.com
n.eepixnqaa.com
n.eepixnqaa.com
n.zodoyucra.com
n.zodoyucra.com
n.dsnkjlkfu.com
n.dsnkjlkfu.com
n.wpsnxnegs.com
n.wpsnxnegs.com
n.cvnuxxysj.com
n.cvnuxxysj.com
n.wewhftcna.com
n.wewhftcna.com
n.zjfprawyu.com
n.zjfprawyu.com
n.ukgorgrqm.com
n.ukgorgrqm.com
n.nwsxkwjtb.com
n.nwsxkwjtb.com
n.rzhfwlaaj.com
n.rzhfwlaaj.com
n.cygzrpdct.com
n.cygzrpdct.com
n.uahauuzyr.com
n.uahauuzyr.com
n.cirgfzcxh.com
n.cirgfzcxh.com
n.pxktczqpg.com
n.pxktczqpg.com
n.lwoucvztu.com
n.lwoucvztu.com
n.fwmfdsrdo.com
n.fwmfdsrdo.com
n.ysrzbwrhy.com
n.ysrzbwrhy.com
n.lsisqkwax.com
n.lsisqkwax.com
n.obfzdniwo.com
n.obfzdniwo.com
n.koiqczjzt.com
n.koiqczjzt.com
n.sbliadsxt.com
n.sbliadsxt.com
n.jxgxgdmnh.com
n.jxgxgdmnh.com
n.pubacyixo.com
n.pubacyixo.com
n.xqrrrfjkk.com
n.xqrrrfjkk.com
n.ivqxnsonc.com
n.ivqxnsonc.com
n.nxnpcnedd.com
n.nxnpcnedd.com
n.nxoyntdzt.com
n.nxoyntdzt.com
n.rxehjwklo.com
n.rxehjwklo.com
n.igmkzotyp.com
n.igmkzotyp.com
n.aumzkzwrl.com
n.aumzkzwrl.com
n.jcawsrxup.com
n.jcawsrxup.com
n.abmadwhcr.com
n.abmadwhcr.com
n.lmfbywtms.com
n.lmfbywtms.com
n.hhxxcplyd.com
n.hhxxcplyd.com
n.bjlajcvcy.com
n.bjlajcvcy.com
n.kpmcbjlmz.com
n.kpmcbjlmz.com
n.ghovcuips.com
n.ghovcuips.com
n.pucpdbgjm.com
n.pucpdbgjm.com
n.zzwwnrwum.com
n.zzwwnrwum.com
n.odeujslqf.com
n.odeujslqf.com
n.ecnpjynwc.com
n.ecnpjynwc.com
n.ynxjwgdec.com
n.ynxjwgdec.com
n.xrbqavrjw.com
n.xrbqavrjw.com
n.ipzfjqnzj.com
n.ipzfjqnzj.com
n.ulffiidks.com
n.ulffiidks.com
n.qtcyitbce.com
n.qtcyitbce.com
n.abjuylahr.com
n.abjuylahr.com
n.zepjdorss.com
n.zepjdorss.com
n.vlwibqnup.com
n.vlwibqnup.com
n.eaxeebvnx.com
n.eaxeebvnx.com
n.rjywkggko.com
n.rjywkggko.com
n.zmvlqrhsl.com
n.zmvlqrhsl.com
n.unvsceumt.com
n.unvsceumt.com
n.vimaspimf.com
n.vimaspimf.com
n.myyhalxbr.com
n.myyhalxbr.com
n.rsxnjdvgu.com
n.rsxnjdvgu.com
n.kdrlowylf.com
n.kdrlowylf.com
n.tnylqmwer.com
n.tnylqmwer.com
n.wesocfgdj.com
n.wesocfgdj.com
n.sgteglshe.com
n.sgteglshe.com
n.kbsdxnoqc.com
n.kbsdxnoqc.com
n.offbizvki.com
n.offbizvki.com
n.msosxcmuh.com
n.msosxcmuh.com
n.uczcgpuxv.com
n.uczcgpuxv.com
n.wxctgbeou.com
n.wxctgbeou.com
n.lhklpacah.com
n.lhklpacah.com
n.adhelcnoh.com
n.adhelcnoh.com
n.jcapalebj.com
n.jcapalebj.com
.tlh0
.tlh0
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
SetTcpEntry
SetTcpEntry
SHLWAPI.dll
SHLWAPI.dll
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
smss.exe
smss.exe
csrss.exe
csrss.exe
winlogon.exe
winlogon.exe
services.exe
services.exe
lsass.exe
lsass.exe
spoolsv.exe
spoolsv.exe
rundll32.exe
rundll32.exe
alg.exe
alg.exe
iexplore.exe
iexplore.exe
svchost.exe
svchost.exe
WindowsMark
WindowsMark
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate
C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Live
C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Live
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
.TBvC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes
.TBvC:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Themes
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0A
tlSSSSSSSSSShL0A
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
%s_%d
%s_%d
-%sMutex
-%sMutex
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
URLDownloadToFileW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
7 767
7 767
8*808;8~8
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
shlwapi.dll
crypt32.dll
crypt32.dll
wtsapi32.dll
wtsapi32.dll
samcli.dll
samcli.dll
netutils.dll
netutils.dll
userenv.dll
userenv.dll
WindowsSecondaryDesktop
WindowsSecondaryDesktop
\charmap.exe
\charmap.exe
\Windows Media Player\wmprph.exe
\Windows Media Player\wmprph.exe
c:\%original file name%.exe
c:\%original file name%.exe
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
Aadvapi32.dll
Aadvapi32.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
mspaint.exe_3000_rwx_007E0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
c:\%original file name%.exe
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Windows
C:\Windows
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\mspaint.exe
\Device\HarddiskVolume1\Windows\System32\mspaint.exe
csrss.exe_368_rwx_02080000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\csrss.exe
\Device\HarddiskVolume1\Windows\System32\csrss.exe
'C:\Windows\system32\csrss.exe
'C:\Windows\system32\csrss.exe
c:\%original file name%.exe
c:\%original file name%.exe
winlogon.exe_416_rwx_006F0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0p
tlSSSSSSSSSShL0p
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\winlogon.exe
\Device\HarddiskVolume1\Windows\System32\winlogon.exe
rc:\%original file name%.exe
rc:\%original file name%.exe
Dwm.exe_2008_rwx_004C0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0M
tlSSSSSSSSSShL0M
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\Dwm.exe
C:\Windows\system32\Dwm.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\dwm.exe
\Device\HarddiskVolume1\Windows\System32\dwm.exe
Oc:\%original file name%.exe
Oc:\%original file name%.exe
taskhost.exe_1940_rwx_00580000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0Y
tlSSSSSSSSSShL0Y
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\taskhost.exe
\Device\HarddiskVolume1\Windows\System32\taskhost.exe
[c:\%original file name%.exe
[c:\%original file name%.exe
Explorer.EXE_2024_rwx_045F0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0`
tlSSSSSSSSSShL0`
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\explorer.exe
\Device\HarddiskVolume1\Windows\explorer.exe
8C:\Windows\Explorer.EXE
8C:\Windows\Explorer.EXE
c:\%original file name%.exe
c:\%original file name%.exe
conhost.exe_3900_rwx_008D0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
Fv.TBv
Fv.TBv
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
hXXp://%s/%s
hXXp://%s/%s
hXXp://%s/
hXXp://%s/
POST /23s
POST /23s
[%s[%s%s[%s
[%s[%s%s[%s
n%s[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s]%s
%s]%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
hXXp://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
o1xg.org
o1xg.org
oxxtxxt.biz
oxxtxxt.biz
oeob.me
oeob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
SDRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
hXXp://api.wipmania.com/
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\\.\pipe\9caf4c3f
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows
C:\Windows
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\themes\Dqlqlt.exe
7 767
7 767
8*808;8~8
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
mspaint.exe
mspaint.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Windows\System32\conhost.exe
\Device\HarddiskVolume1\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
c:\%original file name%.exe
c:\%original file name%.exe