Trojan-Dropper.Win32.Agent.akh (Kaspersky), Trojan.Muldrop.BDT (B) (Emsisoft), Trojan.Muldrop.BDT (AdAware), Trojan.Win32.Bumat.FD, Trojan.Win32.Sasfis.FD, Virus.Win32.Parite.B.FD, VirusParite.YR, GenericPhysicalDrive0.YR, BankerGeneric.YR (Lavasoft MAS) Behaviour: Trojan-Dropper, Banker, Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 595d2fe55837abb03136f44d32f550f2
SHA1: 9fa3ef3475d0bbe01f00c1734918d440027322f3
SHA256: 3830cab6ab5014f5453af5bd3d03f3fa671193032b6648a4b547c7c3b56041fc
SSDeep: 24576:b4usE2ccfcdSkvRryzXkfcdSkvRryzXEfcdSkvRryzXfU8ZKneTe:rn2VCSkvRGzXACSkvRGzXgCSkvRGzXf+
Size: 1511424 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, WinUpackv030beta, Upackv032Beta, UPolyXv05_v6
Company: CamStudio Group
Created at: no data
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.Process activity
The Trojan creates the following process(es):
DATA0002.EXE:2956
%original file name%.exe:1760
Rundll32.exe:2696
Rundll32.exe:316
SysAnti.exe:440
DATA0000.EXE:1904
DrvInst.exe:1272
The Trojan injects its code into the following process(es):
rundll32.exe:3876
DATA0003.EXE:2060
DATA0001.EXE:2936
Svchost.exe:2920
IEXPLORE.EXE:2064
Explorer.EXE:2024
Mutexes
The following mutexes were created/opened:
No objects were found.File activity
The process DATA0002.EXE:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ila7751.tmp (11186 bytes)
C:\my.sys (2 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (0 bytes)
The process %original file name%.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0003.EXE (1766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0001.EXE (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0002.EXE (618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0000.EXE (552 bytes)
The process Rundll32.exe:2696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Fonts\upho.fon (6 bytes)
C:\Windows\Fonts\kdjnc.fon (32 bytes)
The Trojan deletes the following file(s):
C:\Windows\Fonts\upho.fon (0 bytes)
The process Rundll32.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Fonts\lmiv.fon (6 bytes)
The Trojan deletes the following file(s):
C:\Windows\Fonts\lmiv.fon (0 bytes)
The process SysAnti.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Fonts\kdjnc.fon (32 bytes)
The process DATA0003.EXE:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (49 bytes)
\Device\Harddisk0\DR0 (7 bytes)
C:\my.sys (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7742.tmp (11186 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hook.rom (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (0 bytes)
C:\Windows\System32\drivers\bios.sys (0 bytes)
The process DATA0001.EXE:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\RAV\CCtest.sys (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3120.reg (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAFF.tmp (4 bytes)
%Program Files%\RAV\CCtest.inf (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAEE.tmp (7 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAEE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3120.reg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAFF.tmp (0 bytes)
The process DATA0000.EXE:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7741.tmp (11186 bytes)
C:\Windows\Fonts\ghhtc.fon (32 bytes)
%Program Files%\Common Files\SysAnti.exe (1703 bytes)
The process DrvInst.exe:1272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB4C.tmp (7 bytes)
C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB5C.tmp (4 bytes)
The Trojan deletes the following file(s):
C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB4C.tmp (0 bytes)
C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB5C.tmp (0 bytes)
Registry activity
The process SysAnti.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"SysAnti" = "%Program Files%\Common Files\SysAnti.exe"
The process DATA0001.EXE:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.dev.log" = "4096"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"
[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process DATA0000.EXE:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\DATA0000_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
861d9fee9290c78c2e794b3ca6e9bc77 | c:\%original file name%.exe |
7d6b20a018d24a25a55fbed8a68a92eb | c:\Program Files\Common Files\SysAnti.exe |
a9c38565a7134c16225faf7ccd96cd61 | c:\Program Files\RAV\CCtest.sys |
7d6b20a018d24a25a55fbed8a68a92eb | c:\SysAnti.exe |
78822fff0494912dc394c5095894cee7 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0001.EXE |
1e7c93864220813b5b0a52e7893cf2b6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0002.EXE |
cbfcc5ef142c580c55a602ed1397ceea | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0003.EXE |
685f1cbd4af30a1d0c25f252d399a666 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7741.tmp |
685f1cbd4af30a1d0c25f252d399a666 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7742.tmp |
685f1cbd4af30a1d0c25f252d399a666 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ila7751.tmp |
a9c38565a7134c16225faf7ccd96cd61 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\CCTest.sys |
650284d127f208fef9ac26f5aed9aa4e | c:\Windows\Fonts\ghhtc.fon |
650284d127f208fef9ac26f5aed9aa4e | c:\Windows\Fonts\kdjnc.fon |
a9c38565a7134c16225faf7ccd96cd61 | c:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\CCTest.sys |
ec313b6fbc41d3372949799ba59715f4 | c:\Windows\flash.dll |
353c3e4b55cb94a6e6a54dc423bddc6d | c:\my.sys |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 794 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.360.cn |
127.0.0.1 | www.360safe.cn |
127.0.0.1 | www.360safe.com |
127.0.0.1 | www.chinakv.com |
127.0.0.1 | www.rising.com.cn |
127.0.0.1 | rising.com.cn |
127.0.0.1 | dl.jiangmin.com |
127.0.0.1 | jiangmin.com |
127.0.0.1 | www.jiangmin.com |
127.0.0.1 | www.duba.net |
127.0.0.1 | www.eset.com.cn |
127.0.0.1 | www.nod32.com |
127.0.0.1 | shadu.duba.net |
127.0.0.1 | union.kingsoft.com |
127.0.0.1 | www.kaspersky.com.cn |
127.0.0.1 | kaspersky.com.cn |
127.0.0.1 | virustotal.com |
127.0.0.1 | virscan.org |
127.0.0.1 | www.virscan.org |
127.0.0.1 | www.kaspersky.com |
127.0.0.1 | www.cnnod32.cn |
127.0.0.1 | www.lanniao.org |
127.0.0.1 | www.nod32club.com |
127.0.0.1 | www.dswlab.com |
127.0.0.1 | bbs.sucop.com |
127.0.0.1 | www.virustotal.com |
127.0.0.1 | tool.ikaka.com |
127.0.0.1 | 360.qihoo.com |
127.0.0.1 | www.kafan.cn |
127.0.0.1 | bbs.kafan.cn |
Rootkit activity
No anomalies have been detected.Propagation
Static Analysis
VersionInfo
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 4096 | 512 | 3.39105 | 1f4fb7d81227ebd0cb410783feb83a5f |
DATA | 8192 | 4096 | 512 | 0.273864 | 112ca019a106f4fe16f043f97b67e497 |
.idata | 12288 | 4096 | 512 | 2.71676 | 2e7dcee722f41a792183832ae33c3a81 |
.reloc | 16384 | 4096 | 512 | 0.620029 | 6d7aed319bec4769f502896c7af57209 |
.rsrc | 20480 | 1511424 | 1507840 | 5.5044 | 5fd5957c86a8a23d8486837c58dc71e0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
teredo.ipv6.microsoft.com | 157.56.106.189 |
dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
DATA0001.EXE_2936:
MZKERNEL32.DLL
.Upack
.rsrc
RCv=kAv.SCv
; File Name: CCTest.inf
; Generated by C DriverWizard 3.2.0 (Build 2485)
Signature="$WINDOWS NT$"
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
DriverVer=5/7/2010,1.00.0000
CatalogFile=CCTest.cat
;reg-root,[subkey],[value-entry-name],[flags],[value]
HKR,,,%REG_SZ%,%DeviceClassName%
1 = %DiskId1%,,,""
CCTest.sys = 1,,
%CCTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
; --------- Windows 98 -----------------
; cause problems in Windows 98
HKR,,NTMPDriver,,CCTest.sys
HKR,,Description,,%CCTest_DeviceDesc%
; --------- Windows NT -----------------
[CCTest_DDI.NT]
[CCTest_DDI.NT.Services]
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
DisplayName = %CCTest_SvcDesc%
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %12%\CCTest.sys
CCTest.sys,,,2
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_32BITKEY = 0x00004000
.text
h.data
B.reloc
C:\9\CCTest\Driver\objfre\i386\CCTest.pdb
ntoskrnl.exe
HAL.dll
Zi{r $zrWhIsbxf^%dib h|YdBF\Wz\s}igJ %26!E`dU"\'fsD^e%zDCWW|QQ
%26$%$9"9%26
++%+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQTLN
+KWT+%++KZaxxg`fT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTWUDVPLNT PV
+sq`x}zqTg`pTTMUUUB+0vug}wK}g`fquyTPA+0w|ufK`fu}`gTPTg`pTTT%TUUB%26%TUUB+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TT%TTN
+K@}pmT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTUUQLKZTN
+ugg}szT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQUUB%%26TDVP]TN
%4%0%%26lt;%8%$% %,%(%T%P%\%X%D%@%L%H%t%p%|%x%d%`%l%h%
setupapi.dll
shell32.dll
advapi32.dll
reg.exe
import
3120.reg
tmpacik.tmp
%scd%d.exe
SSShh
KERNEL32.DLL
GetWindowsDirectoryA
GetCPInfo
USER32.DLL
SETUPAPI.DLL
]%CSjv
Windows NT\
svchost.exe
CCTest.sys
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
DATA0001.EXE_2936_rwx_00401000_00022000:
RCv=kAv.SCv
; File Name: CCTest.inf
; Generated by C DriverWizard 3.2.0 (Build 2485)
Signature="$WINDOWS NT$"
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
DriverVer=5/7/2010,1.00.0000
CatalogFile=CCTest.cat
;reg-root,[subkey],[value-entry-name],[flags],[value]
HKR,,,%REG_SZ%,%DeviceClassName%
1 = %DiskId1%,,,""
CCTest.sys = 1,,
%CCTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
; --------- Windows 98 -----------------
; cause problems in Windows 98
HKR,,NTMPDriver,,CCTest.sys
HKR,,Description,,%CCTest_DeviceDesc%
; --------- Windows NT -----------------
[CCTest_DDI.NT]
[CCTest_DDI.NT.Services]
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
DisplayName = %CCTest_SvcDesc%
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %12%\CCTest.sys
CCTest.sys,,,2
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_32BITKEY = 0x00004000
.text
h.data
.rsrc
B.reloc
C:\9\CCTest\Driver\objfre\i386\CCTest.pdb
ntoskrnl.exe
HAL.dll
Zi{r $zrWhIsbxf^%dib h|YdBF\Wz\s}igJ %26!E`dU"\'fsD^e%zDCWW|QQ
%26$%$9"9%26
++%+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQTLN
+KWT+%++KZaxxg`fT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTWUDVPLNT PV
+sq`x}zqTg`pTTMUUUB+0vug}wK}g`fquyTPA+0w|ufK`fu}`gTPTg`pTTT%TUUB%26%TUUB+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TT%TTN
+K@}pmT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTUUQLKZTN
+ugg}szT+0vug}wKg`f}zsTPA+0w|ufK`fu}`gTPTg`pTTB+0uxx{wu`{fTPT%26TTg`pTTEUQUUB%%26TDVP]TN
%4%0%%26lt;%8%$% %,%(%T%P%\%X%D%@%L%H%t%p%|%x%d%`%l%h%
setupapi.dll
shell32.dll
advapi32.dll
reg.exe
import
3120.reg
tmpacik.tmp
%scd%d.exe
SSShh
KERNEL32.DLL
GetWindowsDirectoryA
GetCPInfo
USER32.DLL
SETUPAPI.DLL
Windows NT\
svchost.exe
CCTest.sys
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
DATA0001.EXE_2936_rwx_0042B000_00008000:
]%CSjv
DATA0003.EXE_2060:
!This program cannoc:\my.sys
.text
`.rdata
.data
.rsrc
@.nkh
MSVCRT
PSAPI.DLL
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
ADVAPI32.dll
\\.\PHYSICALDRIVE0
~DFE0F5.tmp
[-]OpenSCManager Failed in LoadDriver %d
c:\bios.bin
%s %s /isa %s
%s %s /isa release
cbrom.exe
\\.\Bios
explorer.exe
svchost.exe
services.exe
\flash.dll
\\.\MyDeviceDriver
\drivers\beep.sys
beep.sys
RSTray.exe
\drivers\bios.sys
hook.rom
User32.DLL
c:\my.sys
L%xSl
PvtS%D
S.HHu"$J
}b~%c
?.GMA
Kernel32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer
DATA0003.EXE_2060_rwx_001D1000_00071000:
UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
%02d/%02d/%04d %02d:%02d:%02d.%03d
An exception (%08X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpClass.tpcDtorAddr
(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags
memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)
elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
Cv.SCv
Bv}.Bv
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
%8000404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(%26%26$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt+ Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
DATA0003.EXE_2060_rwx_00403000_00002000:
MSVCRT
PSAPI.DLL
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
ADVAPI32.dll
\\.\PHYSICALDRIVE0
~DFE0F5.tmp
[-]OpenSCManager Failed in LoadDriver %d
c:\bios.bin
%s %s /isa %s
%s %s /isa release
cbrom.exe
\\.\Bios
explorer.exe
svchost.exe
services.exe
\flash.dll
\\.\MyDeviceDriver
\drivers\beep.sys
beep.sys
RSTray.exe
\drivers\bios.sys
hook.rom
User32.DLL
c:\my.sys
DATA0003.EXE_2060_rwx_00422000_00001000:
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer
Svchost.exe_2920:
.idata
.rdata
P.reloc
P.rsrc
P.xur
Portions Copyright (c) 1999,2003 Avenger by NhT
kernel32.dll
hXXp://
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Windows 95
Windows 95 OSR 2
Windows 98
Windows 98 Second Edition
Windows Millenium
Windows NT
Windows NT 3.5
Windows NT 4.0
Windows 2000
Windows XP
Windows XP Service Pack 2
Windows XP x64
Windows Server 2003
Windows Vista
Windows Server Longhorn
rpcrt4.dll
ntdll.dll
Kernel32.dll
Unit_GetWebSV
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
ShellExecuteA
Shell32.dll
360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;
AutoRun.inf
Open=%s
Shell\Open\Command=%s
Shell\Explore\Command=%s
Sfc.dll
VVV.360.cn
VVV.360safe.cn
VVV.360safe.com
VVV.chinakv.com
VVV.rising.com.cn
rising.com.cn
dl.jiangmin.com
jiangmin.com
VVV.jiangmin.com
VVV.duba.net
VVV.eset.com.cn
VVV.nod32.com
shadu.duba.net
union.kingsoft.com
VVV.kaspersky.com.cn
kaspersky.com.cn
virustotal.com
virscan.org
VVV.virscan.org
VVV.kaspersky.com
VVV.cnnod32.cn
VVV.lanniao.org
VVV.nod32club.com
VVV.dswlab.com
bbs.sucop.com
VVV.virustotal.com
tool.ikaka.com
360.qihoo.com
VVV.kafan.cn
bbs.kafan.cn
127.0.0.1
%02d-%02d-%02d %02d:%02d:%02d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
%26Key=
cmd /c erase /F "
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"!"""%26"""
",#)#%("8""
?""$%26lt;""%26gt;%26lt;""
22222222
930+2|222
2222222
.Rr23D#X2X2X2Z
.Rr22F%bb`fX0X2Z
.Rr23D5ba
.Rr23D/b`c
.Rr23D `fX3X2Z
.Rr23D"fX0X2Z
.Rr22E
.Rr22E'b
.Rr22E=
(+(((,(((
%)(@(.)(
(()()(-(
(8((8(((2
22222222222222
22322232223222
22220222
2222=2223
GetProcessHeap
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
WinExec
GetWindowsDirectoryA
t!==9sff!%26lt;('.qqq
KWindows
LUnit_GetWeb
Unit_NsPass
ADVAPI32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
Svchost.exe_2920_rwx_000E1000_00071000:
UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
%02d/%02d/%04d %02d:%02d:%02d.%03d
An exception (%08X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpClass.tpcDtorAddr
(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags
memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)
elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
Cv.SCv
Bv}.Bv
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
%8000404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(%26%26$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt+ Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Svchost.exe_2920_rwx_00400000_0001F000:
.idata
.rdata
P.reloc
P.rsrc
P.xur
Portions Copyright (c) 1999,2003 Avenger by NhT
kernel32.dll
hXXp://
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Windows 95
Windows 95 OSR 2
Windows 98
Windows 98 Second Edition
Windows Millenium
Windows NT
Windows NT 3.5
Windows NT 4.0
Windows 2000
Windows XP
Windows XP Service Pack 2
Windows XP x64
Windows Server 2003
Windows Vista
Windows Server Longhorn
rpcrt4.dll
ntdll.dll
Kernel32.dll
Unit_GetWebSV
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
ShellExecuteA
Shell32.dll
360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;
AutoRun.inf
Open=%s
Shell\Open\Command=%s
Shell\Explore\Command=%s
Sfc.dll
VVV.360.cn
VVV.360safe.cn
VVV.360safe.com
VVV.chinakv.com
VVV.rising.com.cn
rising.com.cn
dl.jiangmin.com
jiangmin.com
VVV.jiangmin.com
VVV.duba.net
VVV.eset.com.cn
VVV.nod32.com
shadu.duba.net
union.kingsoft.com
VVV.kaspersky.com.cn
kaspersky.com.cn
virustotal.com
virscan.org
VVV.virscan.org
VVV.kaspersky.com
VVV.cnnod32.cn
VVV.lanniao.org
VVV.nod32club.com
VVV.dswlab.com
bbs.sucop.com
VVV.virustotal.com
tool.ikaka.com
360.qihoo.com
VVV.kafan.cn
bbs.kafan.cn
127.0.0.1
%02d-%02d-%02d %02d:%02d:%02d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
%26Key=
cmd /c erase /F "
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"!"""%26"""
",#)#%("8""
?""$%26lt;""%26gt;%26lt;""
22222222
930+2|222
2222222
.Rr23D#X2X2X2Z
.Rr22F%bb`fX0X2Z
.Rr23D5ba
.Rr23D/b`c
.Rr23D `fX3X2Z
.Rr23D"fX0X2Z
.Rr22E
.Rr22E'b
.Rr22E=
(+(((,(((
%)(@(.)(
(()()(-(
(8((8(((2
22222222222222
22322232223222
22220222
2222=2223
GetProcessHeap
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
WinExec
GetWindowsDirectoryA
t!==9sff!%26lt;('.qqq
KWindows
LUnit_GetWeb
Unit_NsPass
ADVAPI32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
IEXPLORE.EXE_2064:
.idata
.rdata
P.reloc
P.rsrc
P.xur
Portions Copyright (c) 1999,2003 Avenger by NhT
kernel32.dll
hXXp://
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Windows 95
Windows 95 OSR 2
Windows 98
Windows 98 Second Edition
Windows Millenium
Windows NT
Windows NT 3.5
Windows NT 4.0
Windows 2000
Windows XP
Windows XP Service Pack 2
Windows XP x64
Windows Server 2003
Windows Vista
Windows Server Longhorn
rpcrt4.dll
ntdll.dll
Kernel32.dll
Unit_GetWebSV
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
ShellExecuteA
Shell32.dll
360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;
AutoRun.inf
Open=%s
Shell\Open\Command=%s
Shell\Explore\Command=%s
Sfc.dll
VVV.360.cn
VVV.360safe.cn
VVV.360safe.com
VVV.chinakv.com
VVV.rising.com.cn
rising.com.cn
dl.jiangmin.com
jiangmin.com
VVV.jiangmin.com
VVV.duba.net
VVV.eset.com.cn
VVV.nod32.com
shadu.duba.net
union.kingsoft.com
VVV.kaspersky.com.cn
kaspersky.com.cn
virustotal.com
virscan.org
VVV.virscan.org
VVV.kaspersky.com
VVV.cnnod32.cn
VVV.lanniao.org
VVV.nod32club.com
VVV.dswlab.com
bbs.sucop.com
VVV.virustotal.com
tool.ikaka.com
360.qihoo.com
VVV.kafan.cn
bbs.kafan.cn
127.0.0.1
%02d-%02d-%02d %02d:%02d:%02d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
%26Key=
cmd /c erase /F "
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"!"""%26"""
",#)#%("8""
?""$%26lt;""%26gt;%26lt;""
22222222
930+2|222
2222222
.Rr23D#X2X2X2Z
.Rr22F%bb`fX0X2Z
.Rr23D5ba
.Rr23D/b`c
.Rr23D `fX3X2Z
.Rr23D"fX0X2Z
.Rr22E
.Rr22E'b
.Rr22E=
(+(((,(((
%)(@(.)(
(()()(-(
(8((8(((2
22222222222222
22322232223222
22220222
2222=2223
GetProcessHeap
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
WinExec
GetWindowsDirectoryA
t!==9sff!%26lt;('.qqq
KWindows
LUnit_GetWeb
Unit_NsPass
ADVAPI32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
IEXPLORE.EXE_2064_rwx_00400000_0001F000:
.idata
.rdata
P.reloc
P.rsrc
P.xur
Portions Copyright (c) 1999,2003 Avenger by NhT
kernel32.dll
hXXp://
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Windows 95
Windows 95 OSR 2
Windows 98
Windows 98 Second Edition
Windows Millenium
Windows NT
Windows NT 3.5
Windows NT 4.0
Windows 2000
Windows XP
Windows XP Service Pack 2
Windows XP x64
Windows Server 2003
Windows Vista
Windows Server Longhorn
rpcrt4.dll
ntdll.dll
Kernel32.dll
Unit_GetWebSV
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
ShellExecuteA
Shell32.dll
360hotfix.exe;360rpt.exe;360Safe.exe;360safebox.exe;360tray.exe;adam.exe;AgentSvr.exe;AntiArp.exe;AppSvc32.exe;arvmon.exe;AutoGuarder.exe;autoruns.exe;avgrssvc.exe;AvMonitor.exe;avp.com;avp.exe;CCenter.exe;ccSvcHst.exe;FileDsty.exe;findt2005.exe;FTCleanerShell.exe;HijackThis.exe;IceSword.exe;iparmo.exe;Iparmor.exe;IsHelp.exe;isPwdSvc.exe;kabaload.exe;KaScrScn.SCR;KASMain.exe;KASTask.exe;KAV32.exe;KAVDX.exe;KAVPFW.exe;KAVSetup.exe;KAVStart.exe;killhidepid.exe;KISLnchr.exe;KMailMon.exe;KMFilter.exe;KPFW32.exe;KPFW32X.exe;KPFWSvc.exe;KRepair.COM;KsLoader.exe;KVCenter.kxp;KvDetect.exe;kvfw.exe;KvfwMcl.exe;KVMonXP.kxp;KVMonXP_1.kxp;kvol.exe;kvolself.exe;KvReport.kxp;KVScan.kxp;KVSrvXP.exe;KVStub.kxp;kvupload.exe;kvwsc.exe;KvXP.kxp;KvXP_1.kxp;KWatch.exe;KWatch9x.exe;KWatchX.exe;loaddll.exe;MagicSet.exe;mcconsol.exe;mmqczj.exe;mmsk.exe;NAVSetup.exe;nod32krn.exe;nod32kui.exe;PFW.exe;PFWLiveUpdate.exe;QHSET.exe;Ras.exe;Rav.exe;RavCopy.exe;RavMon.exe;RavMonD.exe;RavStore.exe;RavStub.exe;ravt08.exe;RavTask.exe;RegClean.exe;RegEx.exe;rfwcfg.exe;RfwMain.exe;rfwolusr.exe;rfwProxy.exe;rfwsrv.exe;RsAgent.exe;Rsaupd.exe;RsMain.exe;rsnetsvr.exe;RSTray.exe;runiep.exe;safebank.exe;safeboxTray.exe;safelive.exe;scan32.exe;ScanFrm.exe;shcfg32.exe;smartassistant.exe;SmartUp.exe;SREng.exe;SREngPS.exe;symlcsvc.exe;syscheck.exe;Syscheck2.exe;SysSafe.exe;ToolsUp.exe;TrojanDetector.exe;Trojanwall.exe;TrojDie.kxp;UIHost.exe;UmxAgent.exe;UmxAttachment.exe;UmxCfg.exe;UmxFwHlp.exe;UmxPol.exe;UpLive.exe;WoptiClean.exe;zxsweep.exe;LiveUpdate360.exe;
AutoRun.inf
Open=%s
Shell\Open\Command=%s
Shell\Explore\Command=%s
Sfc.dll
VVV.360.cn
VVV.360safe.cn
VVV.360safe.com
VVV.chinakv.com
VVV.rising.com.cn
rising.com.cn
dl.jiangmin.com
jiangmin.com
VVV.jiangmin.com
VVV.duba.net
VVV.eset.com.cn
VVV.nod32.com
shadu.duba.net
union.kingsoft.com
VVV.kaspersky.com.cn
kaspersky.com.cn
virustotal.com
virscan.org
VVV.virscan.org
VVV.kaspersky.com
VVV.cnnod32.cn
VVV.lanniao.org
VVV.nod32club.com
VVV.dswlab.com
bbs.sucop.com
VVV.virustotal.com
tool.ikaka.com
360.qihoo.com
VVV.kafan.cn
bbs.kafan.cn
127.0.0.1
%02d-%02d-%02d %02d:%02d:%02d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
%26Key=
cmd /c erase /F "
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"!"""%26"""
",#)#%("8""
?""$%26lt;""%26gt;%26lt;""
22222222
930+2|222
2222222
.Rr23D#X2X2X2Z
.Rr22F%bb`fX0X2Z
.Rr23D5ba
.Rr23D/b`c
.Rr23D `fX3X2Z
.Rr23D"fX0X2Z
.Rr22E
.Rr22E'b
.Rr22E=
(+(((,(((
%)(@(.)(
(()()(-(
(8((8(((2
22222222222222
22322232223222
22220222
2222=2223
GetProcessHeap
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
WinExec
GetWindowsDirectoryA
t!==9sff!%26lt;('.qqq
KWindows
LUnit_GetWeb
Unit_NsPass
ADVAPI32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
IEXPLORE.EXE_2064_rwx_00421000_00071000:
UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLkB
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0C
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdzD
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
%02d/%02d/%04d %02d:%02d:%02d.%03d
An exception (%08X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpClass.tpcDtorAddr
(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags
memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)
elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
Cv.SCv
Bv}.Bv
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
%8000404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(%26%26$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt+ Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
svchost.exe_3704:
.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
%26lt;description%26gt;Host Process for Windows Services%26lt;/description%26gt;
%26lt;requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385
DrvInst.exe_1272:
.text
`.data
.rsrc
@.reloc
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-IO-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-Memory-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-String-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
SETUPAPI.dll
cfgmgr32.DLL
devrtl.DLL
KERNEL32.dll
Exception in DRVINST.EXE HandleDeviceInstallEntry!, ExceptionCode = 0x%08lx
Exception in DRVINST.EXE wmain!, ExceptionCode = 0x%08lx
Driver package failed signature validation. Error = 0x%08X
System restore disabled by policy. Error = 0x%08X
Unable to mark devices that match new INF - (%08x)!
DRVINST.EXE: Entering debugger while %ws driver package to Driver Store.
Ea~Cancel Windows Update search failed!
Received request to cancel Windows Update search.
CancelWUOperation
Error (%08x):Unexpected cancel wait failure!
Error 0x%X opening up RunOnce key.
{Core Device Install - exit(0x%08x)}
Queueing up error report since device installation failed...
Policy is set to skip sending error report for additional software requested
Additional software is requested so a WER report should be sent, but the sending of WER reports from drvinst has been suppressed.
Queueing up error report since additional software is requested...
Policy is set to skip sending error report for generic device driver install
A generic driver was installed so a WER report should be sent, but the sending of WER reports from drvinst has been suppressed.
Queueing up error report since device driver is generic...
Queueing up error report since device has a PnP problem...
Device install status=0x%08x
Error(%08x) installing device!
Enabling shuffle-move file queue operations.
Error(%08x) determining installation policy for device!
Error(%08x) creating drvinst install mutex!
No driver found on Windows Update.
Failed to load download functions from search DLL! Error=%d
Selecting best match from Windows Update...
Failed to build driver list from WU package. Error=%d
Found driver on Windows Update, downloading - %.1f MB...
Windows Update driver search cancelled.
Error(%08x) opening WU cancel event!
Error(%08x) creating WU search serialization mutex!
Failed to load search function from search DLL! Error=%d
Searching Windows Update for drivers...
INF specified BasicDriverOk for this device, skipping Windows Update search.
Failed to load WU search DLL! Error=%d
Failed to load initialization functions from search DLL! Error=%d
Skipping Windows Update because no internet connection!
Device driver was updated during servicing, skipping Windows Update search.
Driver Store import failed, failing install.
Error(%08x) creating cancel thread!
Error(%08x) opening cancel thread event!
Error(%08x) creating end-cancel thread event!
Error(%08x) creating Device Manager sync event!
DRVINST.EXE: Entering debugger during PnP device installation.
DRVINST.EXE: Waiting for debugger on Process ID = %d ...
DRVINST.EXE: Unknown DebugInstall options, NOT breaking to debugger.
The system will restart in %d seconds in order to enforce device installation restriction policy.
{Driver package policy check - exit(0x%08x)}
Driver Package importation is subject to policy
{Device installation policy check [%ws] exit(0x%08x)}
{Device Installation Restrictions Policy Check - exit(0x%08x)}
{Device Removal Initiated by Policy Change [%ws] exit(0x%08x)}
API-MS-Win-Security-SDDL-L1-1-0.dll
ADVAPI32.dll
COMCTL32.dll
OS Version = %d.%d.%d
Service Pack = %d.%d
Suite = 0x%04x
ProductType = %d
Architecture = %s
%04d/%02d/%02d
%02d:%02d:%02d.%03d
[Exit status: FAILURE(0x%08x)]
cmd: %s
os: Version = %d.%d.%d, Service Pack = %d.%d, Suite = 0x%04x, ProductType = %d, Architecture = %s
[Boot Session: %04d/%02d/%02d %02d:%02d:%02d.%03d]
[%s - %s]
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
drvstore.dll
DrvInst.pdb
udPPj
Ht.Ht
PSSSSSSh
pServerImportDriverPackage
_amsg_exit
SetupDiReportDeviceInstallError
SetupDiReportAdditionalSoftwareRequested
SetupDiReportGenericDriverInstalled
SetupDiReportPnPDeviceProblem
SetupDiReportDriverNotFoundError
SetupDiOpenDevRegKey
GetSystemWindowsDirectoryW
GetProcessHeap
name="Microsoft.Windows.DrvInst"
version="5.1.0.0"
%26lt;requestedExecutionLevel
2"363;3@3
Global\DrvInst_CancelSearch_{86EC8168-ECD8-46ac-B312-AAE1DAF80BB8}
!%d-%d-%d
%0d.%0d.%0d.%0d
streamci.dll
rundll32.exe
Software\Microsoft\Windows\CurrentVersion\RunOnce
setupapi.dll
!DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
!DrvInst.exe_mutex_{6848E37B-F8FA-404d-AF21-279E723B6D35}
Software\Microsoft\Windows\CurrentVersion\Device Installer
Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\DoqInProgress
Software\Microsoft\Windows\CurrentVersion\DriverSearching
Software\Policies\Microsoft\Windows\DriverSearching
Software\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin
Software\Policies\Microsoft\Windows\DeviceInstall
Software\Policies\Microsoft\Windows\DriverInstall
Registry Keys
Software\Microsoft\Windows\CurrentVersion\Setup
setupapi.offline.log
setupapi.dev.log
setupapi.app.log
%s.%04d%02d%02d_%02d%02d%02d.%s
%s.????????_??????.%s
setupapi.ev3
setupapi.ev2
setupapi.ev1
advapi32.dll
6.1.7600.16385 (win7_rtm.090713-1255)
DrvInst.EXE
Windows
Operating System
6.1.7600.16385
rundll32.exe_3876:
.text
`.data
.rsrc
@.reloc
KERNEL32.dll
USER32.dll
msvcrt.dll
imagehlp.dll
ntdll.dll
Av.TBv
?.ulf
.ue9]
ole32.dll
_amsg_exit
_wcmdln
rundll32.pdb
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
%26lt;requestedExecutionLevel level="asInvoker" uiAccess="false"/%26gt;
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\UNC\
rundll32.exe
Windows host process (Rundll32)
6.1.7600.16385 (win7_rtm.090713-1255)
RUNDLL32.EXE
Windows
Operating System
6.1.7600.16385
Explorer.EXE_2024_rwx_046C1000_00071000:
UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLkl
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0m
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdzn
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv-%26gt;tpClass.tpcFlags %26 CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
%02d/%02d/%04d %02d:%02d:%02d.%03d
An exception (%08X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpClass.tpcDtorAddr
(errPtr-%26gt;ERRcInitDtc %26gt;= varType-%26gt;tpClass.tpcDtorCount) || flags
memType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
varType-%26gt;tpArr.tpaElemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
dttPtr-%26gt;dttType-%26gt;tpPtr.tppBaseType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
IS_CLASS(dttPtr-%26gt;dttType-%26gt;tpMask) %26%26 (dttPtr-%26gt;dttType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR)
elemType-%26gt;tpClass.tpcFlags %26 CF_HAS_DTOR
Cv.SCv
Bv}.Bv
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
%8000404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(%26%26$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt+ Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d)+Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
DATA0002.EXE:2956
%original file name%.exe:1760
Rundll32.exe:2696
Rundll32.exe:316
SysAnti.exe:440
DATA0000.EXE:1904
DrvInst.exe:1272
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFE0F5.tmp (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ila7751.tmp (11186 bytes)
C:\my.sys (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0003.EXE (1766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0001.EXE (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0002.EXE (618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DATA0000.EXE (552 bytes)
C:\Windows\Fonts\upho.fon (6 bytes)
C:\Windows\Fonts\kdjnc.fon (32 bytes)
C:\Windows\Fonts\lmiv.fon (6 bytes)
\Device\Harddisk0\DR0 (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7742.tmp (11186 bytes)
%Program Files%\RAV\CCtest.sys (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3120.reg (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAFF.tmp (4 bytes)
%Program Files%\RAV\CCtest.inf (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{70c86755-ad3c-5798-9568-7366bcb29155}\SETAAEE.tmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gla7741.tmp (11186 bytes)
C:\Windows\Fonts\ghhtc.fon (32 bytes)
%Program Files%\Common Files\SysAnti.exe (1703 bytes)
C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB4C.tmp (7 bytes)
C:\Windows\System32\DriverStore\Temp\{64e28f61-4fd2-0c4d-bc44-540856657538}\SETAB5C.tmp (4 bytes)
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.