Skip to main content

Trojan.Muldrop.BDT_595d2fe558


Trojan-Dropper.Win32.Agent.akh (Kaspersky), Trojan.Muldrop.BDT (B) (Emsisoft), Trojan.Muldrop.BDT (AdAware), Trojan.Win32.Bumat.FD, Trojan.Win32.Sasfis.FD, Virus.Win32.Parite.B.FD, VirusParite.YR, GenericPhysicalDrive0.YR, BankerGeneric.YR (Lavasoft MAS) Behaviour: Trojan-Dropper, Banker, Trojan, Virus

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 595d2fe55837abb03136f44d32f550f2

SHA1: 9fa3ef3475d0bbe01f00c1734918d440027322f3

SHA256: 3830cab6ab5014f5453af5bd3d03f3fa671193032b6648a4b547c7c3b56041fc

SSDeep: 24576:b4usE2ccfcdSkvRryzXkfcdSkvRryzXEfcdSkvRryzXfU8ZKneTe:rn2VCSkvRGzXACSkvRGzXgCSkvRGzXf+

Size: 1511424 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PolyEnE001byLennartHedlund, WinUpackv030beta, Upackv032Beta, UPolyXv05_v6

Company: CamStudio Group

Created at: no data

Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

DATA0002.EXE:2956

%original file name%.exe:1760

Rundll32.exe:2696

Rundll32.exe:316

SysAnti.exe:440

DATA0000.EXE:1904

DrvInst.exe:1272

The Trojan injects its code into the following process(es):

rundll32.exe:3876

DATA0003.EXE:2060

DATA0001.EXE:2936

Svchost.exe:2920

IEXPLORE.EXE:2064

Explorer.EXE:2024

Mutexes

The following mutexes were created/opened:

No objects were found.

File activity

The process DATA0002.EXE:2956 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (49 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ila7751.tmp (11186 bytes)

C:\my.sys (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (0 bytes)

The process %original file name%.exe:1760 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0003.EXE (1766 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0001.EXE (77 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0002.EXE (618 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0000.EXE (552 bytes)

The process Rundll32.exe:2696 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\Fonts\upho.fon (6 bytes)

C:\Windows\Fonts\kdjnc.fon (32 bytes)

The Trojan deletes the following file(s):

C:\Windows\Fonts\upho.fon (0 bytes)

The process Rundll32.exe:316 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\Fonts\lmiv.fon (6 bytes)

The Trojan deletes the following file(s):

C:\Windows\Fonts\lmiv.fon (0 bytes)

The process SysAnti.exe:440 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\Fonts\kdjnc.fon (32 bytes)

The process DATA0003.EXE:2060 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (49 bytes)

\Device\Harddisk0\DR0 (7 bytes)

C:\my.sys (2 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7742.tmp (11186 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hook.rom (0 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (0 bytes)

C:\Windows\System32\drivers\bios.sys (0 bytes)

The process DATA0001.EXE:2936 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\RAV\CCtest.sys (7 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3120.reg (58 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAFF.tmp (4 bytes)

%Program Files%\RAV\CCtest.inf (4 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAEE.tmp (7 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAEE.tmp (0 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3120.reg (0 bytes)

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAFF.tmp (0 bytes)

The process DATA0000.EXE:1904 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7741.tmp (11186 bytes)

C:\Windows\Fonts\ghhtc.fon (32 bytes)

%Program Files%\Common Files\SysAnti.exe (1703 bytes)

The process DrvInst.exe:1272 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB4C.tmp (7 bytes)

C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB5C.tmp (4 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB4C.tmp (0 bytes)

C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB5C.tmp (0 bytes)

Registry activity

The process SysAnti.exe:440 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

"SysAnti" = "%Program Files%\Common Files\SysAnti.exe"

The process DATA0001.EXE:2936 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SYSTEM\Setup\SetupapiLogStatus]

"setupapi.dev.log" = "4096"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"AutoDetect" = "1"

 

[HKLM\SYSTEM\Setup\SetupapiLogStatus]

"setupapi.app.log" = "4096"

 

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]

"LanguageList" = "en-US, en"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"ProxyBypass"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"ProxyBypass"

"IntranetName"

 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"IntranetName"

The process DATA0000.EXE:1904 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"AutoDetect" = "1"

 

[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]

"FileDirectory" = "%windir%\tracing"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]

"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"UNCAsIntranet" = "0"

 

[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]

"EnableFileTracing" = "0"

 

[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASAPI32]

"FileDirectory" = "%windir%\tracing"

 

[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]

"FileTracingMask" = "4294901760"

 

[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASAPI32]

"ConsoleTracingMask" = "4294901760"

"MaxFileSize" = "1048576"

 

[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]

"EnableConsoleTracing" = "0"

"MaxFileSize" = "1048576"

"ConsoleTracingMask" = "4294901760"

 

[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASAPI32]

"FileTracingMask" = "4294901760"

"EnableFileTracing" = "0"

 

"EnableConsoleTracing" = "0"

Proxy settings are disabled:

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"ProxyBypass"

 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"ProxyBypass"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

"ProxyOverride"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"IntranetName"

 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

"IntranetName"

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

"ProxyServer"

"AutoConfigURL"

Dropped PE files

MD5 File path
861d9fee9290c78c2e794b3ca6e9bc77 c:\%original file name%.exe
7d6b20a018d24a25a55fbed8a68a92eb c:\Program Files\Common Files\SysAnti.exe
a9c38565a7134c16225faf7ccd96cd61 c:\Program Files\RAV\CCtest.sys
7d6b20a018d24a25a55fbed8a68a92eb c:\SysAnti.exe
78822fff0494912dc394c5095894cee7 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0001.EXE
1e7c93864220813b5b0a52e7893cf2b6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0002.EXE
cbfcc5ef142c580c55a602ed1397ceea c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0003.EXE
685f1cbd4af30a1d0c25f252d399a666 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7741.tmp
685f1cbd4af30a1d0c25f252d399a666 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7742.tmp
685f1cbd4af30a1d0c25f252d399a666 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ila7751.tmp
a9c38565a7134c16225faf7ccd96cd61 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\CCTest.sys
650284d127f208fef9ac26f5aed9aa4e c:\Windows\Fonts\ghhtc.fon
650284d127f208fef9ac26f5aed9aa4e c:\Windows\Fonts\kdjnc.fon
a9c38565a7134c16225faf7ccd96cd61 c:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\CCTest.sys
ec313b6fbc41d3372949799ba59715f4 c:\Windows\flash.dll
353c3e4b55cb94a6e6a54dc423bddc6d c:\my.sys

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 794 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.360.cn
127.0.0.1 www.360safe.cn
127.0.0.1 www.360safe.com
127.0.0.1 www.chinakv.com
127.0.0.1 www.rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 dl.jiangmin.com
127.0.0.1 jiangmin.com
127.0.0.1 www.jiangmin.com
127.0.0.1 www.duba.net
127.0.0.1 www.eset.com.cn
127.0.0.1 www.nod32.com
127.0.0.1 shadu.duba.net
127.0.0.1 union.kingsoft.com
127.0.0.1 www.kaspersky.com.cn
127.0.0.1 kaspersky.com.cn
127.0.0.1 virustotal.com
127.0.0.1 virscan.org
127.0.0.1 www.virscan.org
127.0.0.1 www.kaspersky.com
127.0.0.1 www.cnnod32.cn
127.0.0.1 www.lanniao.org
127.0.0.1 www.nod32club.com
127.0.0.1 www.dswlab.com
127.0.0.1 bbs.sucop.com
127.0.0.1 www.virustotal.com
127.0.0.1 tool.ikaka.com
127.0.0.1 360.qihoo.com
127.0.0.1 www.kafan.cn
127.0.0.1 bbs.kafan.cn
 

Rootkit activity

No anomalies have been detected.

Propagation

Static Analysis

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 4096 512 3.39105 1f4fb7d81227ebd0cb410783feb83a5f
DATA 8192 4096 512 0.273864 112ca019a106f4fe16f043f97b67e497
.idata 12288 4096 512 2.71676 2e7dcee722f41a792183832ae33c3a81
.reloc 16384 4096 512 0.620029 6d7aed319bec4769f502896c7af57209
.rsrc 20480 1511424 1507840 5.5044 5fd5957c86a8a23d8486837c58dc71e0

Dropped from:

 

Downloaded by:

 

Similar by SSDeep:

 

Similar by Lavasoft Polymorphic Checker:

 

Network Activity

URLs

URL IP
teredo.ipv6.microsoft.com
157.56.106.189
dns.msftncsi.com
131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

DATA0001.EXE_2936:

MZKERNEL32.DLL

.Upack

.rsrc

RCv=kAv.SCv

; File Name: CCTest.inf

; Generated by C DriverWizard 3.2.0 (Build 2485)

Signature="$WINDOWS NT$"

ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}

DriverVer=5/7/2010,1.00.0000

CatalogFile=CCTest.cat

;reg-root,[subkey],[value-entry-name],[flags],[value]

HKR,,,%REG_SZ%,%DeviceClassName%

1 = %DiskId1%,,,""

CCTest.sys = 1,,

%CCTest_DeviceDesc$=CCTest_DDI, *CCTestDevice

; --------- Windows 98 -----------------

; cause problems in Windows 98

HKR,,NTMPDriver,,CCTest.sys

HKR,,Description,,%CCTest_DeviceDesc%

; --------- Windows NT -----------------

[CCTest_DDI.NT]

[CCTest_DDI.NT.Services]

Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service

DisplayName = %CCTest_SvcDesc%

ServiceType = %SERVICE_KERNEL_DRIVER%

StartType = %SERVICE_DEMAND_START%

ErrorControl = %SERVICE_ERROR_NORMAL%

ServiceBinary = %12%\CCTest.sys

CCTest.sys,,,2

FLG_ADDREG_KEYONLY = 0x00000010

FLG_ADDREG_64BITKEY = 0x00001000

FLG_ADDREG_KEYONLY_COMMON = 0x00002000

FLG_ADDREG_32BITKEY = 0x00004000

.text

h.data

B.reloc

C:\9\CCTest\Driver\objfre\i386\CCTest.pdb

ntoskrnl.exe

HAL.dll

Zi{r $zrWhIsbxf^%dib h|YdBF\Wz\s}igJ %26!E`dU"\'fsD^e%zDCWW|QQ

%26$%$9"9%26

++%+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQTLN

+KWT+%++KZaxxg`fT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTWUDVPLNT PV

+sq`x}zqTg`pTTMUUUB+0vug}wK}g`fquyTPA+0w|ufK`fu}`gTPTg`pTTT%TUUB%26%TUUB+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TT%TTN

+K@}pmT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTUUQLKZTN

+ugg}szT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQUUB%%26TDVP]TN

%4%0%%26lt;%8%$% %,%(%T%P%\%X%D%@%L%H%t%p%|%x%d%`%l%h%

setupapi.dll

shell32.dll

advapi32.dll

reg.exe

import

3120.reg

tmpacik.tmp

%scd%d.exe

SSShh

KERNEL32.DLL

GetWindowsDirectoryA

GetCPInfo

USER32.DLL

SETUPAPI.DLL

]%CSjv

Windows NT\

svchost.exe

CCTest.sys

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]

"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]

"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"

"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"

00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]

"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"

"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]

"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"

"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]

"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"

"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]

"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]

"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"

"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"

"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"

"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]

"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"

"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"

"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"

00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]

"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"

"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"

"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]

"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"

"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]

"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"

"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"

"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"

"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"

00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]

"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"

"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"

"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]

"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"

"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"

"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]

"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"

"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"

"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

DATA0001.EXE_2936_rwx_00401000_00022000:

RCv=kAv.SCv

; File Name: CCTest.inf

; Generated by C DriverWizard 3.2.0 (Build 2485)

Signature="$WINDOWS NT$"

ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}

DriverVer=5/7/2010,1.00.0000

CatalogFile=CCTest.cat

;reg-root,[subkey],[value-entry-name],[flags],[value]

HKR,,,%REG_SZ%,%DeviceClassName%

1 = %DiskId1%,,,""

CCTest.sys = 1,,

%CCTest_DeviceDesc$=CCTest_DDI, *CCTestDevice

; --------- Windows 98 -----------------

; cause problems in Windows 98

HKR,,NTMPDriver,,CCTest.sys

HKR,,Description,,%CCTest_DeviceDesc%

; --------- Windows NT -----------------

[CCTest_DDI.NT]

[CCTest_DDI.NT.Services]

Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service

DisplayName = %CCTest_SvcDesc%

ServiceType = %SERVICE_KERNEL_DRIVER%

StartType = %SERVICE_DEMAND_START%

ErrorControl = %SERVICE_ERROR_NORMAL%

ServiceBinary = %12%\CCTest.sys

CCTest.sys,,,2

FLG_ADDREG_KEYONLY = 0x00000010

FLG_ADDREG_64BITKEY = 0x00001000

FLG_ADDREG_KEYONLY_COMMON = 0x00002000

FLG_ADDREG_32BITKEY = 0x00004000

.text

h.data

.rsrc

B.reloc

C:\9\CCTest\Driver\objfre\i386\CCTest.pdb

ntoskrnl.exe

HAL.dll

Zi{r $zrWhIsbxf^%dib h|YdBF\Wz\s}igJ %26!E`dU"\'fsD^e%zDCWW|QQ

%26$%$9"9%26

++%+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQTLN

+KWT+%++KZaxxg`fT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTWUDVPLNT PV

+sq`x}zqTg`pTTMUUUB+0vug}wK}g`fquyTPA+0w|ufK`fu}`gTPTg`pTTT%TUUB%26%TUUB+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TT%TTN

+K@}pmT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTUUQLKZTN

+ugg}szT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQUUB%%26TDVP]TN

%4%0%%26lt;%8%$% %,%(%T%P%\%X%D%@%L%H%t%p%|%x%d%`%l%h%

setupapi.dll

shell32.dll

advapi32.dll

reg.exe

import

3120.reg

tmpacik.tmp

%scd%d.exe

SSShh

KERNEL32.DLL

GetWindowsDirectoryA

GetCPInfo

USER32.DLL

SETUPAPI.DLL

Windows NT\

svchost.exe

CCTest.sys

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]

"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]

"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"

"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"

00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]

"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"

"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]

"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"

"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]

"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"

"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]

"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]

"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"

"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"

"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"

"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]

"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"

"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"

"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"

00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]

"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"

"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"

"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]

"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"

"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]

"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"

"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"

"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"

"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"

00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]

"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"

"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"

"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]

"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"

"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"

"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]

"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"

"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"

"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

DATA0001.EXE_2936_rwx_0042B000_00008000:

]%CSjv

DATA0003.EXE_2060:

!This program cannoc:\my.sys

.text

`.rdata

.data

.rsrc

@.nkh

MSVCRT

PSAPI.DLL

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

\\.\PHYSICALDRIVE0

~DFE0F5.tmp

[-]OpenSCManager Failed in LoadDriver %d

c:\bios.bin

%s %s /isa %s

%s %s /isa release

cbrom.exe

\\.\Bios

explorer.exe

svchost.exe

services.exe

\flash.dll

\\.\MyDeviceDriver

\drivers\beep.sys

beep.sys

RSTray.exe

\drivers\bios.sys

hook.rom

User32.DLL

c:\my.sys

L%xSl

PvtS%D

S.HHu"$J

}b~%c

?.GMA

Kernel32.dll

RegOpenKeyExA

RegCloseKey

Software\Microsoft\Windows\CurrentVersion\Explorer

DATA0003.EXE_2060_rwx_001D1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

%02d/%02d/%04d %02d:%02d:%02d.%03d

An exception (%08X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpClass.tpcDtorAddr

(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags

memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)

elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

Cv.SCv

Bv}.Bv

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

%8000404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(%26%26$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt+ Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

DATA0003.EXE_2060_rwx_00403000_00002000:

MSVCRT

PSAPI.DLL

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

\\.\PHYSICALDRIVE0

~DFE0F5.tmp

[-]OpenSCManager Failed in LoadDriver %d

c:\bios.bin

%s %s /isa %s

%s %s /isa release

cbrom.exe

\\.\Bios

explorer.exe

svchost.exe

services.exe

\flash.dll

\\.\MyDeviceDriver

\drivers\beep.sys

beep.sys

RSTray.exe

\drivers\bios.sys

hook.rom

User32.DLL

c:\my.sys

DATA0003.EXE_2060_rwx_00422000_00001000:

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

Software\Microsoft\Windows\CurrentVersion\Explorer

Svchost.exe_2920:

.idata

.rdata

P.reloc

P.rsrc

P.xur

Portions Copyright (c) 1999,2003 Avenger by NhT

kernel32.dll

hXXp://

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Windows 95

Windows 95 OSR 2

Windows 98

Windows 98 Second Edition

Windows Millenium

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows XP Service Pack 2

Windows XP x64

Windows Server 2003

Windows Vista

Windows Server Longhorn

rpcrt4.dll

ntdll.dll

Kernel32.dll

Unit_GetWebSV

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

HttpOpenRequestA

HttpSendRequestA

ShellExecuteA

Shell32.dll

360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;

AutoRun.inf

Open=%s

Shell\Open\Command=%s

Shell\Explore\Command=%s

Sfc.dll

VVV.360.cn

VVV.360safe.cn

VVV.360safe.com

VVV.chinakv.com

VVV.rising.com.cn

rising.com.cn

dl.jiangmin.com

jiangmin.com

VVV.jiangmin.com

VVV.duba.net

VVV.eset.com.cn

VVV.nod32.com

shadu.duba.net

union.kingsoft.com

VVV.kaspersky.com.cn

kaspersky.com.cn

virustotal.com

virscan.org

VVV.virscan.org

VVV.kaspersky.com

VVV.cnnod32.cn

VVV.lanniao.org

VVV.nod32club.com

VVV.dswlab.com

bbs.sucop.com

VVV.virustotal.com

tool.ikaka.com

360.qihoo.com

VVV.kafan.cn

bbs.kafan.cn

127.0.0.1

%02d-%02d-%02d %02d:%02d:%02d

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

%26Key=

cmd /c erase /F "

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

"!"""%26"""

",#)#%("8""

?""$%26lt;""%26gt;%26lt;""

22222222

930+2|222

2222222

.Rr23D#X2X2X2Z

.Rr22F%bb`fX0X2Z

.Rr23D5ba

.Rr23D/b`c

.Rr23D `fX3X2Z

.Rr23D"fX0X2Z

.Rr22E

.Rr22E'b

.Rr22E=

(+(((,(((

%)(@(.)(

(()()(-(

(8((8(((2

22222222222222

22322232223222

22220222

2222=2223

GetProcessHeap

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

WinExec

GetWindowsDirectoryA

t!==9sff!%26lt;('.qqq

KWindows

LUnit_GetWeb

Unit_NsPass

ADVAPI32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer

Svchost.exe_2920_rwx_000E1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

%02d/%02d/%04d %02d:%02d:%02d.%03d

An exception (%08X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpClass.tpcDtorAddr

(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags

memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)

elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

Cv.SCv

Bv}.Bv

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

%8000404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(%26%26$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt+ Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Svchost.exe_2920_rwx_00400000_0001F000:

.idata

.rdata

P.reloc

P.rsrc

P.xur

Portions Copyright (c) 1999,2003 Avenger by NhT

kernel32.dll

hXXp://

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Windows 95

Windows 95 OSR 2

Windows 98

Windows 98 Second Edition

Windows Millenium

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows XP Service Pack 2

Windows XP x64

Windows Server 2003

Windows Vista

Windows Server Longhorn

rpcrt4.dll

ntdll.dll

Kernel32.dll

Unit_GetWebSV

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

HttpOpenRequestA

HttpSendRequestA

ShellExecuteA

Shell32.dll

360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;

AutoRun.inf

Open=%s

Shell\Open\Command=%s

Shell\Explore\Command=%s

Sfc.dll

VVV.360.cn

VVV.360safe.cn

VVV.360safe.com

VVV.chinakv.com

VVV.rising.com.cn

rising.com.cn

dl.jiangmin.com

jiangmin.com

VVV.jiangmin.com

VVV.duba.net

VVV.eset.com.cn

VVV.nod32.com

shadu.duba.net

union.kingsoft.com

VVV.kaspersky.com.cn

kaspersky.com.cn

virustotal.com

virscan.org

VVV.virscan.org

VVV.kaspersky.com

VVV.cnnod32.cn

VVV.lanniao.org

VVV.nod32club.com

VVV.dswlab.com

bbs.sucop.com

VVV.virustotal.com

tool.ikaka.com

360.qihoo.com

VVV.kafan.cn

bbs.kafan.cn

127.0.0.1

%02d-%02d-%02d %02d:%02d:%02d

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

%26Key=

cmd /c erase /F "

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

"!"""%26"""

",#)#%("8""

?""$%26lt;""%26gt;%26lt;""

22222222

930+2|222

2222222

.Rr23D#X2X2X2Z

.Rr22F%bb`fX0X2Z

.Rr23D5ba

.Rr23D/b`c

.Rr23D `fX3X2Z

.Rr23D"fX0X2Z

.Rr22E

.Rr22E'b

.Rr22E=

(+(((,(((

%)(@(.)(

(()()(-(

(8((8(((2

22222222222222

22322232223222

22220222

2222=2223

GetProcessHeap

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

WinExec

GetWindowsDirectoryA

t!==9sff!%26lt;('.qqq

KWindows

LUnit_GetWeb

Unit_NsPass

ADVAPI32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer

IEXPLORE.EXE_2064:

.idata

.rdata

P.reloc

P.rsrc

P.xur

Portions Copyright (c) 1999,2003 Avenger by NhT

kernel32.dll

hXXp://

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Windows 95

Windows 95 OSR 2

Windows 98

Windows 98 Second Edition

Windows Millenium

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows XP Service Pack 2

Windows XP x64

Windows Server 2003

Windows Vista

Windows Server Longhorn

rpcrt4.dll

ntdll.dll

Kernel32.dll

Unit_GetWebSV

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

HttpOpenRequestA

HttpSendRequestA

ShellExecuteA

Shell32.dll

360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;

AutoRun.inf

Open=%s

Shell\Open\Command=%s

Shell\Explore\Command=%s

Sfc.dll

VVV.360.cn

VVV.360safe.cn

VVV.360safe.com

VVV.chinakv.com

VVV.rising.com.cn

rising.com.cn

dl.jiangmin.com

jiangmin.com

VVV.jiangmin.com

VVV.duba.net

VVV.eset.com.cn

VVV.nod32.com

shadu.duba.net

union.kingsoft.com

VVV.kaspersky.com.cn

kaspersky.com.cn

virustotal.com

virscan.org

VVV.virscan.org

VVV.kaspersky.com

VVV.cnnod32.cn

VVV.lanniao.org

VVV.nod32club.com

VVV.dswlab.com

bbs.sucop.com

VVV.virustotal.com

tool.ikaka.com

360.qihoo.com

VVV.kafan.cn

bbs.kafan.cn

127.0.0.1

%02d-%02d-%02d %02d:%02d:%02d

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

%26Key=

cmd /c erase /F "

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

"!"""%26"""

",#)#%("8""

?""$%26lt;""%26gt;%26lt;""

22222222

930+2|222

2222222

.Rr23D#X2X2X2Z

.Rr22F%bb`fX0X2Z

.Rr23D5ba

.Rr23D/b`c

.Rr23D `fX3X2Z

.Rr23D"fX0X2Z

.Rr22E

.Rr22E'b

.Rr22E=

(+(((,(((

%)(@(.)(

(()()(-(

(8((8(((2

22222222222222

22322232223222

22220222

2222=2223

GetProcessHeap

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

WinExec

GetWindowsDirectoryA

t!==9sff!%26lt;('.qqq

KWindows

LUnit_GetWeb

Unit_NsPass

ADVAPI32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer

IEXPLORE.EXE_2064_rwx_00400000_0001F000:

.idata

.rdata

P.reloc

P.rsrc

P.xur

Portions Copyright (c) 1999,2003 Avenger by NhT

kernel32.dll

hXXp://

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Windows 95

Windows 95 OSR 2

Windows 98

Windows 98 Second Edition

Windows Millenium

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows XP Service Pack 2

Windows XP x64

Windows Server 2003

Windows Vista

Windows Server Longhorn

rpcrt4.dll

ntdll.dll

Kernel32.dll

Unit_GetWebSV

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

HttpOpenRequestA

HttpSendRequestA

ShellExecuteA

Shell32.dll

360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;

AutoRun.inf

Open=%s

Shell\Open\Command=%s

Shell\Explore\Command=%s

Sfc.dll

VVV.360.cn

VVV.360safe.cn

VVV.360safe.com

VVV.chinakv.com

VVV.rising.com.cn

rising.com.cn

dl.jiangmin.com

jiangmin.com

VVV.jiangmin.com

VVV.duba.net

VVV.eset.com.cn

VVV.nod32.com

shadu.duba.net

union.kingsoft.com

VVV.kaspersky.com.cn

kaspersky.com.cn

virustotal.com

virscan.org

VVV.virscan.org

VVV.kaspersky.com

VVV.cnnod32.cn

VVV.lanniao.org

VVV.nod32club.com

VVV.dswlab.com

bbs.sucop.com

VVV.virustotal.com

tool.ikaka.com

360.qihoo.com

VVV.kafan.cn

bbs.kafan.cn

127.0.0.1

%02d-%02d-%02d %02d:%02d:%02d

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

%26Key=

cmd /c erase /F "

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

"!"""%26"""

",#)#%("8""

?""$%26lt;""%26gt;%26lt;""

22222222

930+2|222

2222222

.Rr23D#X2X2X2Z

.Rr22F%bb`fX0X2Z

.Rr23D5ba

.Rr23D/b`c

.Rr23D `fX3X2Z

.Rr23D"fX0X2Z

.Rr22E

.Rr22E'b

.Rr22E=

(+(((,(((

%)(@(.)(

(()()(-(

(8((8(((2

22222222222222

22322232223222

22220222

2222=2223

GetProcessHeap

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

WinExec

GetWindowsDirectoryA

t!==9sff!%26lt;('.qqq

KWindows

LUnit_GetWeb

Unit_NsPass

ADVAPI32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer

IEXPLORE.EXE_2064_rwx_00421000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLkB

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0C

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdzD

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

%02d/%02d/%04d %02d:%02d:%02d.%03d

An exception (%08X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpClass.tpcDtorAddr

(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags

memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)

elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

Cv.SCv

Bv}.Bv

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

%8000404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(%26%26$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt+ Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

svchost.exe_3704:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

%26lt;description%26gt;Host Process for Windows Services%26lt;/description%26gt;

%26lt;requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

DrvInst.exe_1272:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-IO-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Core-Memory-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-String-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

SETUPAPI.dll

cfgmgr32.DLL

devrtl.DLL

KERNEL32.dll

Exception in DRVINST.EXE HandleDeviceInstallEntry!, ExceptionCode = 0x%08lx

Exception in DRVINST.EXE wmain!, ExceptionCode = 0x%08lx

Driver package failed signature validation. Error = 0x%08X

System restore disabled by policy. Error = 0x%08X

Unable to mark devices that match new INF - (%08x)!

DRVINST.EXE: Entering debugger while %ws driver package to Driver Store.

Ea~Cancel Windows Update search failed!

Received request to cancel Windows Update search.

CancelWUOperation

Error (%08x):Unexpected cancel wait failure!

Error 0x%X opening up RunOnce key.

{Core Device Install - exit(0x%08x)}

Queueing up error report since device installation failed...

Policy is set to skip sending error report for additional software requested

Additional software is requested so a WER report should be sent, but the sending of WER reports from drvinst has been suppressed.

Queueing up error report since additional software is requested...

Policy is set to skip sending error report for generic device driver install

A generic driver was installed so a WER report should be sent, but the sending of WER reports from drvinst has been suppressed.

Queueing up error report since device driver is generic...

Queueing up error report since device has a PnP problem...

Device install status=0x%08x

Error(%08x) installing device!

Enabling shuffle-move file queue operations.

Error(%08x) determining installation policy for device!

Error(%08x) creating drvinst install mutex!

No driver found on Windows Update.

Failed to load download functions from search DLL! Error=%d

Selecting best match from Windows Update...

Failed to build driver list from WU package. Error=%d

Found driver on Windows Update, downloading - %.1f MB...

Windows Update driver search cancelled.

Error(%08x) opening WU cancel event!

Error(%08x) creating WU search serialization mutex!

Failed to load search function from search DLL! Error=%d

Searching Windows Update for drivers...

INF specified BasicDriverOk for this device, skipping Windows Update search.

Failed to load WU search DLL! Error=%d

Failed to load initialization functions from search DLL! Error=%d

Skipping Windows Update because no internet connection!

Device driver was updated during servicing, skipping Windows Update search.

Driver Store import failed, failing install.

Error(%08x) creating cancel thread!

Error(%08x) opening cancel thread event!

Error(%08x) creating end-cancel thread event!

Error(%08x) creating Device Manager sync event!

DRVINST.EXE: Entering debugger during PnP device installation.

DRVINST.EXE: Waiting for debugger on Process ID = %d ...

DRVINST.EXE: Unknown DebugInstall options, NOT breaking to debugger.

The system will restart in %d seconds in order to enforce device installation restriction policy.

{Driver package policy check - exit(0x%08x)}

Driver Package importation is subject to policy

{Device installation policy check [%ws] exit(0x%08x)}

{Device Installation Restrictions Policy Check - exit(0x%08x)}

{Device Removal Initiated by Policy Change [%ws] exit(0x%08x)}

API-MS-Win-Security-SDDL-L1-1-0.dll

ADVAPI32.dll

COMCTL32.dll

OS Version = %d.%d.%d

Service Pack = %d.%d

Suite = 0x%04x

ProductType = %d

Architecture = %s

%04d/%02d/%02d

%02d:%02d:%02d.%03d

[Exit status: FAILURE(0x%08x)]

cmd: %s

os: Version = %d.%d.%d, Service Pack = %d.%d, Suite = 0x%04x, ProductType = %d, Architecture = %s

[Boot Session: %04d/%02d/%02d %02d:%02d:%02d.%03d]

[%s - %s]

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

drvstore.dll

DrvInst.pdb

udPPj

Ht.Ht

PSSSSSSh

pServerImportDriverPackage

_amsg_exit

SetupDiReportDeviceInstallError

SetupDiReportAdditionalSoftwareRequested

SetupDiReportGenericDriverInstalled

SetupDiReportPnPDeviceProblem

SetupDiReportDriverNotFoundError

SetupDiOpenDevRegKey

GetSystemWindowsDirectoryW

GetProcessHeap

name="Microsoft.Windows.DrvInst"

version="5.1.0.0"

%26lt;requestedExecutionLevel

2"363;3@3

Global\DrvInst_CancelSearch_{86EC8168-ECD8-46ac-B312-AAE1DAF80BB8}

!%d-%d-%d

%0d.%0d.%0d.%0d

streamci.dll

rundll32.exe

Software\Microsoft\Windows\CurrentVersion\RunOnce

setupapi.dll

!DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}

!DrvInst.exe_mutex_{6848E37B-F8FA-404d-AF21-279E723B6D35}

Software\Microsoft\Windows\CurrentVersion\Device Installer

Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\DoqInProgress

Software\Microsoft\Windows\CurrentVersion\DriverSearching

Software\Policies\Microsoft\Windows\DriverSearching

Software\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin

Software\Policies\Microsoft\Windows\DeviceInstall

Software\Policies\Microsoft\Windows\DriverInstall

Registry Keys

Software\Microsoft\Windows\CurrentVersion\Setup

setupapi.offline.log

setupapi.dev.log

setupapi.app.log

%s.%04d%02d%02d_%02d%02d%02d.%s

%s.????????_??????.%s

setupapi.ev3

setupapi.ev2

setupapi.ev1

advapi32.dll

6.1.7600.16385 (win7_rtm.090713-1255)

DrvInst.EXE

Windows

Operating System

6.1.7600.16385

rundll32.exe_3876:

.text

`.data

.rsrc

@.reloc

KERNEL32.dll

USER32.dll

msvcrt.dll

imagehlp.dll

ntdll.dll

Av.TBv

?.ulf

.ue9]

ole32.dll

_amsg_exit

_wcmdln

rundll32.pdb

name="Microsoft.Windows.Shell.rundll32"

version="5.1.0.0"

%26lt;requestedExecutionLevel level="asInvoker" uiAccess="false"/%26gt;

name="Microsoft.Windows.Shell.rundll32"

version="5.1.0.0"

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\UNC\

rundll32.exe

Windows host process (Rundll32)

6.1.7600.16385 (win7_rtm.090713-1255)

RUNDLL32.EXE

Windows

Operating System

6.1.7600.16385

Explorer.EXE_2024_rwx_046C1000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLkl

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0m

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdzn

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

%02d/%02d/%04d %02d:%02d:%02d.%03d

An exception (%08X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpClass.tpcDtorAddr

(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags

memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)

elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR

Cv.SCv

Bv}.Bv

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

%8000404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(%26%26$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt+ Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    DATA0002.EXE:2956

    %original file name%.exe:1760

    Rundll32.exe:2696

    Rundll32.exe:316

    SysAnti.exe:440

    DATA0000.EXE:1904

    DrvInst.exe:1272

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (49 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ila7751.tmp (11186 bytes)

    C:\my.sys (2 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0003.EXE (1766 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0001.EXE (77 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0002.EXE (618 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0000.EXE (552 bytes)

    C:\Windows\Fonts\upho.fon (6 bytes)

    C:\Windows\Fonts\kdjnc.fon (32 bytes)

    C:\Windows\Fonts\lmiv.fon (6 bytes)

    \Device\Harddisk0\DR0 (7 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7742.tmp (11186 bytes)

    %Program Files%\RAV\CCtest.sys (7 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3120.reg (58 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAFF.tmp (4 bytes)

    %Program Files%\RAV\CCtest.inf (4 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAEE.tmp (7 bytes)

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7741.tmp (11186 bytes)

    C:\Windows\Fonts\ghhtc.fon (32 bytes)

    %Program Files%\Common Files\SysAnti.exe (1703 bytes)

    C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB4C.tmp (7 bytes)

    C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB5C.tmp (4 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Related articles