Trojan.Win32.Patched.la (Kaspersky), Win32.Sality.OG (B) (Emsisoft), Win32.Sality.OG (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.Hideproc.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7808aa8f2aa3a8d7ea7167c580398b10
SHA1: e68de790c52072223ccf3301caf4b9f9e835e440
SHA256: 781acfaf12a7775b4afb430cc237ac0565c0a25a7fe38345fc2890c7c57abb99
SSDeep: 3072:a /WB2E89kLfE43LHn1lmVCclhoEbsG6RdgYkMU7bF 6aLK2IJqi6uS gkDstXKQ:an2Ewk371lrJdHNkJVojPEHyjl3RNG2
Size: 307712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
sc.exe:2712
sc.exe:2524
sc.exe:2620
sc.exe:2872
sc.exe:3052
sc.exe:2548
sc.exe:2796
net1.exe:2584
net1.exe:2588
WINMINE.EXE:3764
WINMINE.EXE:3732
NOTEPAD.EXE:3580
NOTEPAD.EXE:3612
NOTEPAD.EXE:3716
NOTEPAD.EXE:3864
NOTEPAD.EXE:3688
NOTEPAD.EXE:3168
net.exe:2392
net.exe:2496
netsh.exe:224
Rundll32.exe:332
%original file name%.exe:3892
The Trojan injects its code into the following process(es):
system.exe:1156
Rundll32.exe:3060
mscorsvw.exe:172
%original file name%.exe:540
explorer.exe:3900
Explorer.EXE:2032
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process system.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\jwerqn.dll (79 bytes)
%WinDir%\system.ini (74 bytes)
%System%\lfmwqn.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winytakmi.exe (601 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
The Trojan deletes the following file(s):
C:\14cfb2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winytakmi.exe (0 bytes)
The process Rundll32.exe:3060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
C:\ (412 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\%current user%\Favorites (8 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (24 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_c30.dat (100 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (16 bytes)
C:\TSTP\winlogon.exe (536 bytes)
%Program Files%\Movie Maker (4 bytes)
%Program Files%\Windows NT (4 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%WinDir%\Web (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (12 bytes)
%System%\drivers (192 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (4545 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
C:\totalcmd (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Documents and Settings%\%current user% (40 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (32 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (8 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\WinSxS (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (788 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winytakmi.exe (1202 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (1664 bytes)
C:\$Directory (1960 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%System%\config\systemprofile (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\msagent (4 bytes)
C:\PROGRAM FILES (20 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (424 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%System%\wbem (2896 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
C:\DOCUMENTS AND SETTINGS (8 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%Program Files%\Internet Explorer (8 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (2276 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%System% (27944 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OP6NCXM7\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%Program Files%\Common Files\Microsoft Shared (8 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (12 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_120.dat (16 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZCBUT0J\desktop.ini (67 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%Documents and Settings%\All Users\Desktop (4 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7I8YEHB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings (28 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%Documents and Settings%\All Users (12 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MR6QY76W\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
The Trojan deletes the following file(s):
%System%\wininet.dll (0 bytes)
The process Rundll32.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\AAV\CDriver.sys (11 bytes)
The Trojan deletes the following file(s):
%Program Files%\AAV\CDriver.sys (0 bytes)
%Program Files%\AAV (0 bytes)
The process %original file name%.exe:3892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Microsoft Shared\explorer.exe (601 bytes)
The process %original file name%.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\%original file name%.exe (364 bytes)
%System%\system.exe (226 bytes)
Registry activity
The process sc.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 15 2F C1 62 D7 E0 64 91 EA 15 D5 64 AE 7C CF"
The process sc.exe:2524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 2A FC 14 D5 4E D2 78 07 50 1F 38 16 84 18 50"
The process sc.exe:2620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 91 73 5D 27 44 DD CC 0D 68 C6 02 64 B5 ED 57"
The process sc.exe:2872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 2C 43 2F E3 57 CE 6D B3 6B 72 33 3A 01 0D 02"
The process sc.exe:3052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 6C 77 B3 2B A9 A3 95 9C 90 04 5A 5A 98 A0 C8"
The process sc.exe:2548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 00 35 23 D0 36 8F 8D 89 B5 14 5C 74 BD BD 57"
The process sc.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F B9 A3 0C B1 CA 05 CA 3B 3A 6E 75 78 7C E2 95"
The process net1.exe:2584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 15 C5 00 18 7E E9 CB 8B 6E 28 BE 2B 27 C0 B0"
The process net1.exe:2588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 02 29 88 EF 34 D8 31 02 70 57 54 7D 62 CD DB"
The process WINMINE.EXE:3764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 82 FB E5 6C C7 22 33 7C 69 BA 34 C4 20 9F 05"
The process WINMINE.EXE:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 FE 4D 39 07 2C 26 AD 03 83 8B 33 BC FF CB 34"
The process NOTEPAD.EXE:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 69 15 6A E8 91 4C 16 6E 46 07 3C 91 3B 02 7B"
The process NOTEPAD.EXE:3612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 DC B5 3F 43 78 0E 8C 89 76 C8 F6 60 90 B5 0B"
The process NOTEPAD.EXE:3716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 35 07 2E 49 0D 09 13 D7 71 2D 4C 0C 99 E8 70"
The process NOTEPAD.EXE:3864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 4A 90 A4 6F 66 D5 98 64 58 D7 46 AF 1B 2F 53"
The process NOTEPAD.EXE:3688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 BB CA 37 29 6E 19 F0 E1 AA 05 5B 18 1F 99 A7"
The process NOTEPAD.EXE:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F D7 14 14 8C B1 60 F6 CB 25 5F 79 08 71 D5 28"
The process system.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a4_0" = "0"
"a1_0" = "3432392762"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914\695404737]
"43014726" = "0800687474703A2F2F73617367726F7774682E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F737069646572736D342E73702E66756E7069632E64652F696D672F6D61696E662E67696600687474703A2F2F7777772E6C6976656C6966652D65672E636F6D2F6D61696E682E67696600687474703A2F2F656C617377616E792E636F6D2F6C6F676F732E67696600687474703A2F2F6D61656C6C6973726F6D616E63652E636F6D2F696D616765732F6D61696E662E67696600687474703A2F2F7777772E73626B6A61726F736C61772E796F796F2E706C2F6C6F676F732E67696600687474703A2F2F7777772E696F6E797364672D636F6E7374727563742E726F2F6C6F676F2E67696600687474703A2F2F7777772E7261696C77617973657276696365732E62652F696D616765732F6C6F676F732E676966"
"14338242" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"7169121" = "64"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"35845605" = "323"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 49 6E D1 B7 F7 FD 39 C5 5F 3A D2 35 92 34 A3"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKCU\Software\adm914]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"50183847" = "C8980FD0FA43809D561928F00AAD6DAD7091CFE47DF57985A379C5E2D85F8E0BB75518A4E967DCE1B684E91E7ACCD74E8F65D721CB872CA88A9A41048FDB51608C6305AE02B5E50E527BD46181E3442FBE3652F6DF35028008A44B80427639121856E8CEFA4A99BA1ABDDE0042D860D1F1C1833A5844585F17EEE957B91F2348"
[HKCU\Software\adm914]
"a2_0" = "5517"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32]
"system.exe" = "%System%\system.exe:*:Enabled:ipsec"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process net.exe:2392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 BD 43 E1 29 0A 36 B5 02 83 32 57 6C 95 56 2E"
The process net.exe:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 1C 71 5F 2B 82 CE 30 38 BD 98 91 06 46 5E 33"
The process netsh.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 A0 48 3E 7F C8 DD EE 0D 51 65 76 A4 80 E8 BB"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process Rundll32.exe:3060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 33 40 AC 47 FB A6 04 C1 0E AC BD 76 BD EC CB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Rundll32.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 53 13 FD B1 E3 F1 46 5C 8B 07 82 E5 58 FC C4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process mscorsvw.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
The process %original file name%.exe:3892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 51 2F DE 9F EE 24 86 14 FD 97 A6 7B F5 52 50"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 67 61 77 00 84 8B 9A 1D 04 59 1E 24 CC 67 73"
Dropped PE files
MD5 | File path |
---|---|
94d07771b2102823306845e97f0f7fb4 | c:\%original file name%.exe |
7a4f775abb2f1c97def3e73afa2faedd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B4.tmp |
94d07771b2102823306845e97f0f7fb4 | c:\Program Files\Common Files\Microsoft Shared\explorer.exe |
904aaccab87ddcef55c6aed6cb064ae0 | c:\Program Files\Common Files\ips888.dll |
b7fe31857f497d87727c14d2f8ac59a8 | c:\WINDOWS\system32\drivers\kpscc.sys |
56ea438828f407afebd6916d3e445907 | c:\WINDOWS\system32\jwerqn.dll |
1166b4a71282c9f5b75505b557f9f95e | c:\WINDOWS\system32\lfmwqn.dll |
71543b74b3426eaaf9b555e201aeb4ac | c:\WINDOWS\system32\system.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
sc.exe:2712
sc.exe:2524
sc.exe:2620
sc.exe:2872
sc.exe:3052
sc.exe:2548
sc.exe:2796
net1.exe:2584
net1.exe:2588
WINMINE.EXE:3764
WINMINE.EXE:3732
NOTEPAD.EXE:3580
NOTEPAD.EXE:3612
NOTEPAD.EXE:3716
NOTEPAD.EXE:3864
NOTEPAD.EXE:3688
NOTEPAD.EXE:3168
net.exe:2392
net.exe:2496
netsh.exe:224
Rundll32.exe:332
%original file name%.exe:3892 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\jwerqn.dll (79 bytes)
%WinDir%\system.ini (74 bytes)
%System%\lfmwqn.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winytakmi.exe (601 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\%current user%\Favorites (8 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_c30.dat (100 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (16 bytes)
C:\TSTP\winlogon.exe (536 bytes)
%Program Files%\Movie Maker (4 bytes)
%Program Files%\Windows NT (4 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\Web (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (12 bytes)
%System%\drivers (192 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (4545 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
C:\totalcmd (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (32 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\WinSxS (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (788 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\$Directory (1960 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\msagent (4 bytes)
C:\PROGRAM FILES (20 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
C:\DOCUMENTS AND SETTINGS (8 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%Program Files%\Internet Explorer (8 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OP6NCXM7\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%Program Files%\Common Files\Microsoft Shared (8 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (12 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_120.dat (16 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZCBUT0J\desktop.ini (67 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%Documents and Settings%\All Users\Desktop (4 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7I8YEHB\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MR6QY76W\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Program Files%\AAV\CDriver.sys (11 bytes)
%Program Files%\Common Files\Microsoft Shared\explorer.exe (601 bytes)
C:\%original file name%.exe (364 bytes)
%System%\system.exe (226 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 278528 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 282624 | 53248 | 50688 | 5.45194 | 88c068adfd573210f49ff6dc628db0a9 |
.rsrc | 335872 | 24576 | 24576 | 2.72388 | e09f6c4750a974646e30ecb8c841e539 |
ouob | 360448 | 4288 | 4608 | 3.59224 | 41a5c17770e2441f5699345455d364e8 |
368640 | 226816 | 226816 | 5.02087 | 71543b74b3426eaaf9b555e201aeb4ac |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_540:
.rsrc
.rsrc
rnel32.dllVCreateToolhu
rnel32.dllVCreateToolhu
& 8.Snapshot7H~
& 8.Snapshot7H~
8safeboxTray.exe
8safeboxTray.exe
.tubf
.tubf
188/url
188/url
9=.hi
9=.hi
-11CE-BFC1-0
-11CE-BFC1-0
.lnk'
.lnk'
CC.dLL
CC.dLL
f7%*.*
f7%*.*
.dh00
.dh00
P.relocG
P.relocG
6Keybo
6Keybo
IMAGEHLP.DLL
IMAGEHLP.DLL
p60A0L0Q0f0.PZ
p60A0L0Q0f0.PZ
.hG Gh
.hG Gh
3 3$3(3,"
3 3$3(3,"
4 4$4(4,
4 4$4(4,
5 5$5(5,
5 5$5(5,
6 6$6(6,6
6 6$6(6,6
; ;$;(;,;0;4
; ;$;(;,;0;4
.vol7
.vol7
( X
( X
.LjR=W
.LjR=W
.Jbjx=
.Jbjx=
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
ntdll.dll
ntdll.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
user32.dll
user32.dll
RegCloseKey
RegCloseKey
.text
.text
.rdata
.rdata
.data
.data
.reloc
.reloc
B.mrdata
B.mrdata
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
`.rdata
`.rdata
@.data
@.data
K200.exe
K200.exe
GetProcessHeap
GetProcessHeap
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
SETUPAPI.dll
SETUPAPI.dll
ExecuteModule.dll
ExecuteModule.dll
C@Y'''.YNLTXQ.'.On}bhnHgjxxEjfn.
C@Y'''.YNLTXQ.'.On}bhnHgjxxEjfn.
bhx'.YNLTO\DYO.';s:;; 0 MBGNTON]BHNTXNH^YNTD[NE
bhx'.YNLTO\DYO.';s:;; 0 MBGNTON]BHNTXNH^YNTD[NE
: 6 .Obx`Bo:.'''))
: 6 .Obx`Bo:.'''))
HOyb}ny%xrx 6 :''
HOyb}ny%xrx 6 :''
.FmlEjfn. 6 HOyb}nyTFml
.FmlEjfn. 6 HOyb}nyTFml
.HOyb}nyTOn}bhnOnxh.6HOyb}nyTOOB' !HOyb}ny
.HOyb}nyTOn}bhnOnxh.6HOyb}nyTOOB' !HOyb}ny
C@Y''E_F[Oyb}ny''HOyb}ny%xrx
C@Y''E_F[Oyb}ny''HOyb}ny%xrx
bde''.HOyb}nyTOn}bhnOnxh.
bde''.HOyb}nyTOn}bhnOnxh.
PHOyb}nyTOOB%E_%Xny}bhnxV
PHOyb}nyTOOB%E_%Xny}bhnxV
Jooxny}bhn 6 HOyb}ny' .MGLTJOOYNLTEDHGDIINY.' HOyb}nyTXny}bhn
Jooxny}bhn 6 HOyb}ny' .MGLTJOOYNLTEDHGDIINY.' HOyb}nyTXny}bhn
Obx{gjrEjfn 6 .HOyb}nyTX}hOnxh.
Obx{gjrEjfn 6 .HOyb}nyTX}hOnxh.
Xny}bhn_r{n 6 .XNY]BHNT@NYENGTOYB]NY.
Xny}bhn_r{n 6 .XNY]BHNT@NYENGTOYB]NY.
_r{n 6 .XNY]BHNTONFJEOTX_JY_.
_r{n 6 .XNY]BHNTONFJEOTX_JY_.
ydg 6 .XNY]BHNTNYYDYTEDYFJG.
ydg 6 .XNY]BHNTNYYDYTEDYFJG.
Xny}bhnIbejyr 6 .:9.WHOyb}ny%xrx
Xny}bhnIbejyr 6 .:9.WHOyb}ny%xrx
HOyb}ny%xrx'''9
HOyb}ny%xrx'''9
1*2024282
1*2024282
@.reloc
@.reloc
.exet
.exet
\\.\%c:
\\.\%c:
PubwinClient.exe
PubwinClient.exe
EnumWindows
EnumWindows
DownModule.dll
DownModule.dll
8 8%8/8=8}8
8 8%8/8=8}8
: :$:(:,:0:4:~:
: :$:(:,:0:4:~:
3 3$3@3\3`3
3 3$3@3\3`3
,BN.Qad4
,BN.Qad4
R.jYABZ$
R.jYABZ$
%x4D84S
%x4D84S
|P.VYq
|P.VYq
1?_%X,
1?_%X,
.Wbh~1
.Wbh~1
.Po&5
.Po&5
%UQ@TeQ
%UQ@TeQ
mscoree.dll
mscoree.dll
%original file name%.exe_540_rwx_00940000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
%original file name%.exe_540_rwx_00950000_00001000:
|%original file name%.exeM_540_
|%original file name%.exeM_540_
system.exe_1156:
.text
.text
.rdata
.rdata
.data
.data
.reloc
.reloc
B.mrdata
B.mrdata
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
`.rdata
`.rdata
@.data
@.data
K200.exe
K200.exe
GetProcessHeap
GetProcessHeap
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyA
RegEnumKeyA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
SETUPAPI.dll
SETUPAPI.dll
ExecuteModule.dll
ExecuteModule.dll
C@Y'''.YNLTXQ.'.On}bhnHgjxxEjfn.
C@Y'''.YNLTXQ.'.On}bhnHgjxxEjfn.
bhx'.YNLTO\DYO.';s:;; 0 MBGNTON]BHNTXNH^YNTD[NE
bhx'.YNLTO\DYO.';s:;; 0 MBGNTON]BHNTXNH^YNTD[NE
: 6 .Obx`Bo:.'''))
: 6 .Obx`Bo:.'''))
HOyb}ny%xrx 6 :''
HOyb}ny%xrx 6 :''
.FmlEjfn. 6 HOyb}nyTFml
.FmlEjfn. 6 HOyb}nyTFml
.HOyb}nyTOn}bhnOnxh.6HOyb}nyTOOB' !HOyb}ny
.HOyb}nyTOn}bhnOnxh.6HOyb}nyTOOB' !HOyb}ny
C@Y''E_F[Oyb}ny''HOyb}ny%xrx
C@Y''E_F[Oyb}ny''HOyb}ny%xrx
bde''.HOyb}nyTOn}bhnOnxh.
bde''.HOyb}nyTOn}bhnOnxh.
PHOyb}nyTOOB%E_%Xny}bhnxV
PHOyb}nyTOOB%E_%Xny}bhnxV
Jooxny}bhn 6 HOyb}ny' .MGLTJOOYNLTEDHGDIINY.' HOyb}nyTXny}bhn
Jooxny}bhn 6 HOyb}ny' .MGLTJOOYNLTEDHGDIINY.' HOyb}nyTXny}bhn
Obx{gjrEjfn 6 .HOyb}nyTX}hOnxh.
Obx{gjrEjfn 6 .HOyb}nyTX}hOnxh.
Xny}bhn_r{n 6 .XNY]BHNT@NYENGTOYB]NY.
Xny}bhn_r{n 6 .XNY]BHNT@NYENGTOYB]NY.
_r{n 6 .XNY]BHNTONFJEOTX_JY_.
_r{n 6 .XNY]BHNTONFJEOTX_JY_.
ydg 6 .XNY]BHNTNYYDYTEDYFJG.
ydg 6 .XNY]BHNTNYYDYTEDYFJG.
Xny}bhnIbejyr 6 .:9.WHOyb}ny%xrx
Xny}bhnIbejyr 6 .:9.WHOyb}ny%xrx
HOyb}ny%xrx'''9
HOyb}ny%xrx'''9
1*2024282
1*2024282
@.reloc
@.reloc
.exet
.exet
\\.\%c:
\\.\%c:
PubwinClient.exe
PubwinClient.exe
EnumWindows
EnumWindows
DownModule.dll
DownModule.dll
%System%\system.exe
%System%\system.exe
8 8%8/8=8}8
8 8%8/8=8}8
: :$:(:,:0:4:~:
: :$:(:,:0:4:~:
3 3$3@3\3`3
3 3$3@3\3`3
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
system.exe
system.exe
hXXp://sasgrowth.com/images/logos.gif
hXXp://sasgrowth.com/images/logos.gif
hXXp://spidersm4.sp.funpic.de/img/mainf.gif
hXXp://spidersm4.sp.funpic.de/img/mainf.gif
hXXp://VVV.livelife-eg.com/mainh.gif
hXXp://VVV.livelife-eg.com/mainh.gif
hXXp://elaswany.com/logos.gif
hXXp://elaswany.com/logos.gif
hXXp://maellisromance.com/images/mainf.gif
hXXp://maellisromance.com/images/mainf.gif
hXXp://VVV.sbkjaroslaw.yoyo.pl/logos.gif
hXXp://VVV.sbkjaroslaw.yoyo.pl/logos.gif
hXXp://VVV.ionysdg-construct.ro/logo.gif
hXXp://VVV.ionysdg-construct.ro/logo.gif
hXXp://VVV.railwayservices.be/images/logos.gif
hXXp://VVV.railwayservices.be/images/logos.gif
I34@.NSP
I34@.NSP
N{.ff
N{.ff
.JVXc
.JVXc
http:/
http:/
.info/homT
.info/homT
e.gifI888
e.gifI888
[Wr%S
[Wr%S
?%XYZ[_
?%XYZ[_
B.text^
B.text^
~.rdata
~.rdata
v6.dB
v6.dB
^p.At%
^p.At%
toskrnl.exe
toskrnl.exe
sc.pBT
sc.pBT
PAD.EXE
PAD.EXE
PXNODEwdiPl|.dUM
PXNODEwdiPl|.dUM
.4&?%x=
.4&?%x=
,PUSJ.DLL
,PUSJ.DLL
GUrlA'
GUrlA'
\'Web%wsyWk
\'Web%wsyWk
HTTP)eGP
HTTP)eGP
Ixo.ENHCDM`
Ixo.ENHCDM`
owWEBWUPD
owWEBWUPD
!"#$%&'()* ,-./01230 0
!"#$%&'()* ,-./01230 0
.vELI
.vELI
.HpT.}dk&
.HpT.}dk&
Uppwsp.fV
Uppwsp.fV
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
%UQ@TeQ
%UQ@TeQ
mscoree.dll
mscoree.dll
Rundll32.exe_3060:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
system.exe_1156_rwx_00428000_00010000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
system.exe
system.exe
.text
.text
%System%\system.exe
%System%\system.exe
hXXp://sasgrowth.com/images/logos.gif
hXXp://sasgrowth.com/images/logos.gif
hXXp://spidersm4.sp.funpic.de/img/mainf.gif
hXXp://spidersm4.sp.funpic.de/img/mainf.gif
hXXp://VVV.livelife-eg.com/mainh.gif
hXXp://VVV.livelife-eg.com/mainh.gif
hXXp://elaswany.com/logos.gif
hXXp://elaswany.com/logos.gif
hXXp://maellisromance.com/images/mainf.gif
hXXp://maellisromance.com/images/mainf.gif
hXXp://VVV.sbkjaroslaw.yoyo.pl/logos.gif
hXXp://VVV.sbkjaroslaw.yoyo.pl/logos.gif
hXXp://VVV.ionysdg-construct.ro/logo.gif
hXXp://VVV.ionysdg-construct.ro/logo.gif
hXXp://VVV.railwayservices.be/images/logos.gif
hXXp://VVV.railwayservices.be/images/logos.gif
I34@.NSP
I34@.NSP
N{.ff
N{.ff
.JVXc
.JVXc
http:/
http:/
.info/homT
.info/homT
e.gifI888
e.gifI888
[Wr%S
[Wr%S
?%XYZ[_
?%XYZ[_
B.text^
B.text^
~.rdata
~.rdata
v6.dB
v6.dB
^p.At%
^p.At%
toskrnl.exe
toskrnl.exe
sc.pBT
sc.pBT
PAD.EXE
PAD.EXE
PXNODEwdiPl|.dUM
PXNODEwdiPl|.dUM
.4&?%x=
.4&?%x=
,PUSJ.DLL
,PUSJ.DLL
GUrlA'
GUrlA'
\'Web%wsyWk
\'Web%wsyWk
HTTP)eGP
HTTP)eGP
Ixo.ENHCDM`
Ixo.ENHCDM`
owWEBWUPD
owWEBWUPD
!"#$%&'()* ,-./01230 0
!"#$%&'()* ,-./01230 0
.vELI
.vELI
.HpT.}dk&
.HpT.}dk&
Uppwsp.fV
Uppwsp.fV
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
system.exe_1156_rwx_009A0000_01032000:
c:\windows
c:\windows
hXXp://sasgrowth.com/images/logos.gif
hXXp://sasgrowth.com/images/logos.gif
hXXp://spidersm4.sp.funpic.de/img/mainf.gif
hXXp://spidersm4.sp.funpic.de/img/mainf.gif
hXXp://VVV.livelife-eg.com/mainh.gif
hXXp://VVV.livelife-eg.com/mainh.gif
hXXp://elaswany.com/logos.gif
hXXp://elaswany.com/logos.gif
hXXp://maellisromance.com/images/mainf.gif
hXXp://maellisromance.com/images/mainf.gif
hXXp://VVV.sbkjaroslaw.yoyo.pl/logos.gif
hXXp://VVV.sbkjaroslaw.yoyo.pl/logos.gif
hXXp://VVV.ionysdg-construct.ro/logo.gif
hXXp://VVV.ionysdg-construct.ro/logo.gif
hXXp://VVV.railwayservices.be/images/logos.gif
hXXp://VVV.railwayservices.be/images/logos.gif
%System%\drivers\hknjop.sys
%System%\drivers\hknjop.sys
136173429293
136173429293
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
Opera/8.89 (Windows NT 6.0; U; en)
Opera/8.89 (Windows NT 6.0; U; en)
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
NOTEPAD.EXE
NOTEPAD.EXE
WINMINE.EXE
WINMINE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
hXXp://klkjwre77638dfqwieuoi888.info/
hXXp://klkjwre77638dfqwieuoi888.info/
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\abp470n5
\\.\abp470n5
WINDOWS
WINDOWS
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
BackWeb Plug-in - 4476822
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
tcpsr
tcpsr
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
ASHWEBSV.
ASHWEBSV.
DRWEB32W.
DRWEB32W.
DRWEBSCD.
DRWEBSCD.
DRWEBUPW.
DRWEBUPW.
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBPROXY.
WEBPROXY.
WEBSCANX.
WEBSCANX.
WEBTRAP.
WEBTRAP.
sfc_os.dll
sfc_os.dll
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
.rdata
.rdata
.data
.data
.xdata
.xdata
@.CRT
@.CRT
Ixo.ENHCDM`
Ixo.ENHCDM`
owWEBWUPD
owWEBWUPD
!"#$%&'()* ,-./01230 0
!"#$%&'()* ,-./01230 0
.vELI
.vELI
.HpT.}dk&
.HpT.}dk&
Uppwsp.fV
Uppwsp.fV
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
system.exe_1156_rwx_01A70000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
system.exe_1156_rwx_01A80000_00001000:
|system.exeM_1156_
|system.exeM_1156_
Rundll32.exe_3060_rwx_00B80000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
Rundll32.exe_3060_rwx_00B90000_00001000:
|rundll32.exeM_3060_
|rundll32.exeM_3060_
explorer.exe_3900:
`.rsrc
`.rsrc
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
PSAPI.dll
PSAPI.dll
safeboxTray.exe
safeboxTray.exe
360Safe.exe
360Safe.exe
360safebox.exe
360safebox.exe
360tray.exe
360tray.exe
ravcopy.exe
ravcopy.exe
AvastU3.exe
AvastU3.exe
ScanU3.exe
ScanU3.exe
AvU3Launcher.exe
AvU3Launcher.exe
QQPCMgr.exe
QQPCMgr.exe
runiep.exe
runiep.exe
rfwmain.exe
rfwmain.exe
rfwsrv.exe
rfwsrv.exe
KAVPF.exe
KAVPF.exe
KPFW32.exe
KPFW32.exe
nod32kui.exe
nod32kui.exe
nod32.exe
nod32.exe
Navapsvc.exe
Navapsvc.exe
SelfUpdate.exe
SelfUpdate.exe
QQPCRTP.exe
QQPCRTP.exe
Navapw32.exe
Navapw32.exe
avconsol.exe
avconsol.exe
webscanx.exe
webscanx.exe
NPFMntor.exe
NPFMntor.exe
vsstat.exe
vsstat.exe
zjb.exe
zjb.exe
KPfwSvc.exe
KPfwSvc.exe
QQDoctorMain.exe
QQDoctorMain.exe
RavTask.exe
RavTask.exe
atpup.exe
atpup.exe
mmsk.exe
mmsk.exe
WoptiClean.exe
WoptiClean.exe
QQKav.exe
QQKav.exe
EGHOST.exe
EGHOST.exe
QQDoctor.exe
QQDoctor.exe
RegClean.exe
RegClean.exe
FYFireWall.exe
FYFireWall.exe
iparmo.exe
iparmo.exe
adam.exe
adam.exe
KWSMain.exe
KWSMain.exe
IceSword.exe
IceSword.exe
360rpt.exe
360rpt.exe
AgentSvr.exe
AgentSvr.exe
AppSvc32.exe
AppSvc32.exe
autoruns.exe
autoruns.exe
avgrssvc.exe
avgrssvc.exe
DSMain.exe
DSMain.exe
360sd.exe
360sd.exe
kwstray.exe
kwstray.exe
AvMonitor.exe
AvMonitor.exe
CCenter.exe
CCenter.exe
ccSvcHst.exe
ccSvcHst.exe
FileDsty.exe
FileDsty.exe
FTCleanerShell.exe
FTCleanerShell.exe
HijackThis.exe
HijackThis.exe
Iparmor.exe
Iparmor.exe
isPwdSvc.exe
isPwdSvc.exe
KSWebShield.exe
KSWebShield.exe
kabaload.exe
kabaload.exe
KaScrScn.SCR
KaScrScn.SCR
KASMain.exe
KASMain.exe
KASTask.exe
KASTask.exe
AntiU.exe
AntiU.exe
KAV32.exe
KAV32.exe
KAVDX.exe
KAVDX.exe
KAVPFW.exe
KAVPFW.exe
KAVSetup.exe
KAVSetup.exe
ArSwp2.exe
ArSwp2.exe
KISLnchr.exe
KISLnchr.exe
KMailMon.exe
KMailMon.exe
KMFilter.exe
KMFilter.exe
KPFW32X.exe
KPFW32X.exe
KPFWSvc.exe
KPFWSvc.exe
KRegEx.exe
KRegEx.exe
KsLoader.exe
KsLoader.exe
KVCenter.kxp
KVCenter.kxp
ArSwp3.exe
ArSwp3.exe
KvDetect.exe
KvDetect.exe
KvfwMcl.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP.kxp
KVMonXP_1.kxp
KVMonXP_1.kxp
kvol.exe
kvol.exe
kvolself.exe
kvolself.exe
KVScan.kxp
KVScan.kxp
KVSrvXP.exe
KVSrvXP.exe
KVStub.kxp
KVStub.kxp
kvupload.exe
kvupload.exe
kvwsc.exe
kvwsc.exe
KvXP.kxp
KvXP.kxp
KvXP_1.kxp
KvXP_1.kxp
KWatch.exe
KWatch.exe
KWatch9x.exe
KWatch9x.exe
KWatchX.exe
KWatchX.exe
loaddll.exe
loaddll.exe
MagicSet.exe
MagicSet.exe
PFW.exe
PFW.exe
mcconsol.exe
mcconsol.exe
QQPCTray.exe
QQPCTray.exe
nod32krn.exe
nod32krn.exe
PFWLiveUpdate.exe
PFWLiveUpdate.exe
QHSET.exe
QHSET.exe
RavStub.exe
RavStub.exe
Ras.exe
Ras.exe
rfwcfg.exe
rfwcfg.exe
RfwMain.exe
RfwMain.exe
RsAgent.exe
RsAgent.exe
Rsaupd.exe
Rsaupd.exe
safelive.exe
safelive.exe
irsetup.exe
irsetup.exe
scan32.exe
scan32.exe
shcfg32.exe
shcfg32.exe
SmartUp.exe
SmartUp.exe
SREng.EXE
SREng.EXE
symlcsvc.exe
symlcsvc.exe
SysSafe.exe
SysSafe.exe
TrojanDetector.exe
TrojanDetector.exe
Trojanwall.exe
Trojanwall.exe
KWSUpd.exe
KWSUpd.exe
UIHost.exe
UIHost.exe
UmxAgent.exe
UmxAgent.exe
UmxAttachment.exe
UmxAttachment.exe
360sdrun.exe
360sdrun.exe
UmxCfg.exe
UmxCfg.exe
UmxFwHlp.exe
UmxFwHlp.exe
UmxPol.exe
UmxPol.exe
UpLive.exe
UpLive.exe
upiea.exe
upiea.exe
AST.exe
AST.exe
ArSwp.exe
ArSwp.exe
USBCleaner.exe
USBCleaner.exe
rstrui.exe
rstrui.exe
KvReport.kxp
KvReport.kxp
QQSC.exe
QQSC.exe
ghost.exe
ghost.exe
KRepair.com
KRepair.com
SREngPS.EXE
SREngPS.EXE
XDelBox.exe
XDelBox.exe
kpfw32.exe
kpfw32.exe
kavstart.exe
kavstart.exe
kpfwsvc.exe
kpfwsvc.exe
kmailmon.exe
kmailmon.exe
kissvc.exe
kissvc.exe
appdllman.exe
appdllman.exe
~.exe
~.exe
sos.exe
sos.exe
UFO.exe
UFO.exe
TNT.Exe
TNT.Exe
niu.exe
niu.exe
XP.exe
XP.exe
Wsyscheck.exe
Wsyscheck.exe
TxoMoU.Exe
TxoMoU.Exe
AoYun.exe
AoYun.exe
auto.exe
auto.exe
AutoRun.exe
AutoRun.exe
av.exe
av.exe
zxsweep.exe
zxsweep.exe
cross.exe
cross.exe
Discovery.exe
Discovery.exe
guangd.exe
guangd.exe
kernelwind32.exe
kernelwind32.exe
logogo.exe
logogo.exe
kwatch.exe
kwatch.exe
QQDoctorRtp.exe
QQDoctorRtp.exe
NAVSetup.exe
NAVSetup.exe
pagefile.exe
pagefile.exe
pagefile.pif
pagefile.pif
rfwProxy.exe
rfwProxy.exe
SDGames.exe
SDGames.exe
servet.exe
servet.exe
KAVStart.exe
KAVStart.exe
mmqczj.exe
mmqczj.exe
TrojDie.kxp
TrojDie.kxp
RavMonD.exe
RavMonD.exe
Rav.exe
Rav.exe
RavMon.exe
RavMon.exe
RsTray.exe
RsTray.exe
ScanFrm.exe
ScanFrm.exe
rsnetsvr.exe
rsnetsvr.exe
arswp2.exe
arswp2.exe
arswp3.exe
arswp3.exe
zhudongfangyu.exe
zhudongfangyu.exe
799d.exe
799d.exe
stormii.exe
stormii.exe
tmp.exe
tmp.exe
jisu.exe
jisu.exe
filmst.exe
filmst.exe
qheart.exe
qheart.exe
qsetup.exe
qsetup.exe
sxgame.exe
sxgame.exe
wbapp.exe
wbapp.exe
pfserver.exe
pfserver.exe
QQPCSmashFile.exe
QQPCSmashFile.exe
avp.com
avp.com
avp.exe
avp.exe
iq123.com
iq123.com
yijidh.com
yijidh.com
250dh.cn
250dh.cn
223.la
223.la
kuku123.com
kuku123.com
930930.com
930930.com
9123.com
9123.com
hao123e.com
hao123e.com
020.com
020.com
youxi777.com
youxi777.com
1616.net
1616.net
1188.com
1188.com
urldh.com
urldh.com
daohang.la
daohang.la
pp55.com
pp55.com
9605.com
9605.com
05505.cn
05505.cn
7055.net
7055.net
0056.com
0056.com
6655.com
6655.com
1166.com
1166.com
5kip.com
5kip.com
114xia.com
114xia.com
265dh.com
265dh.com
3567.com
3567.com
6565.cn
6565.cn
666t.com
666t.com
9223.com
9223.com
dduu.com
dduu.com
hao123.cn
hao123.cn
5snow.com
5snow.com
2523.com
2523.com
5599.net
5599.net
tt98.com
tt98.com
zhaodao123.com
zhaodao123.com
kuhao123.com
kuhao123.com
5151la.net
5151la.net
6h.com.cn
6h.com.cn
zeibi.com
zeibi.com
6e8e.com
6e8e.com
th123.com
th123.com
9991.com
9991.com
hao123ol.com
hao123ol.com
wu123.com
wu123.com
t220.cn
t220.cn
ttver.net
ttver.net
188HI.com
188HI.com
go2000.com
go2000.com
5igb.com
5igb.com
bb2000.net
bb2000.net
9wa.com
9wa.com
qq5.com
qq5.com
365j.com
365j.com
7345.com
7345.com
2760.com
2760.com
361la.com
361la.com
haojs.com
haojs.com
5zd.com
5zd.com
i8866.com
i8866.com
100wz.com
100wz.com
114hi.com
114hi.com
234.la
234.la
657.com
657.com
339.la
339.la
365wz.net
365wz.net
7792.com
7792.com
9495.com
9495.com
dazuimao.com
dazuimao.com
71314.com
71314.com
265.com
265.com
gouwo.com
gouwo.com
huai456.com
huai456.com
ku256.com
ku256.com
my180.com
my180.com
2522.cn
2522.cn
405.cn
405.cn
44244.com
44244.com
111dh.com
111dh.com
115ku.com
115ku.com
13387.com
13387.com
163yes.com
163yes.com
256s.com
256s.com
2676.com
2676.com
3355.net
3355.net
365lo.com
365lo.com
4168.com
4168.com
4545.cn
4545.cn
4688.com
4688.com
566.net
566.net
5666.net
5666.net
5733.com
5733.com
6461.cn
6461.cn
7356.com
7356.com
800186.com
800186.com
85851.com
85851.com
asp51.com
asp51.com
361dh.com
361dh.com
5566.net
5566.net
yulinweb.com
yulinweb.com
6296.com.cn
6296.com.cn
mianfeia.com
mianfeia.com
ai1234.com
ai1234.com
k369.com
k369.com
msncn.com
msncn.com
ss256.com
ss256.com
min513.com
min513.com
88-888.com
88-888.com
lggg.cn
lggg.cn
7771.cn
7771.cn
leeboo.com
leeboo.com
jjol.cn
jjol.cn
5566.com
5566.com
9166.net
9166.net
hao253.com
hao253.com
7b.com.cn
7b.com.cn
haoei.com
haoei.com
77114.com
77114.com
21310.cn
21310.cn
weiduomei.net
weiduomei.net
kk3000.cn
kk3000.cn
7241.cn
7241.cn
44384.com
44384.com
daohang1234.com
daohang1234.com
131.cc
131.cc
223224.com
223224.com
537.com
537.com
9348.cn
9348.cn
bju123.cn
bju123.cn
i4455.com
i4455.com
jia123.com
jia123.com
0666.com.cn
0666.com.cn
553.la
553.la
5566.org
5566.org
37021.com
37021.com
88488.com
88488.com
99986.net
99986.net
37021.net
37021.net
k986.com
k986.com
cc62.com
cc62.com
5518.cn
5518.cn
55620.com
55620.com
52416.com
52416.com
7357.cn
7357.cn
8c8c.net
8c8c.net
9999q.com
9999q.com
123shi123.com
123shi123.com
yl234.cn
yl234.cn
3322.com
3322.com
hao222.com
hao222.com
6313.com
6313.com
f127.com
f127.com
5599cn.cn
5599cn.cn
99499.com
99499.com
2548.cn
2548.cn
133.net
133.net
ie30.com
ie30.com
8751.com
8751.com
160dh.com
160dh.com
114115.com
114115.com
1322.cn
1322.cn
hh361.com
hh361.com
2800.cc
2800.cc
52daohang.com
52daohang.com
186.me
186.me
diyidh.com
diyidh.com
zaodezhu.com
zaodezhu.com
7832.com
7832.com
3073.com
3073.com
2058.cc
2058.cc
3456.cc
3456.cc
7771.com
7771.com
q6789.com
q6789.com
7k.cc
7k.cc
dianzi88.com
dianzi88.com
7802.com
7802.com
xinbut.com
xinbut.com
59688.com
59688.com
gjj.cc
gjj.cc
youla.com
youla.com
ok1616.com
ok1616.com
i2345.cn
i2345.cn
gg8000.com
gg8000.com
daohang12345.cn
daohang12345.cn
inina.cn
inina.cn
dowei.com
dowei.com
1515.net
1515.net
41119.cn
41119.cn
21230.cn
21230.cn
97youku.com
97youku.com
fast35.net
fast35.net
m32.cn
m32.cn
tom155.cn
tom155.cn
668yo.com
668yo.com
online.cq.cn
online.cq.cn
shagua.cn
shagua.cn
007247.cn
007247.cn
603467.cn
603467.cn
197326.cn
197326.cn
wwwoj.cn
wwwoj.cn
xp22.cn
xp22.cn
84022.cn
84022.cn
520593.cn
520593.cn
448789.cn
448789.cn
141321.cn
141321.cn
36gggg.cn
36gggg.cn
427842.cn
427842.cn
niubihao123.cn
niubihao123.cn
ovooo.cn
ovooo.cn
rtys520.net
rtys520.net
rtxzw.com
rtxzw.com
uurenti.cc
uurenti.cc
bo.dy288.com
bo.dy288.com
renti11.com
renti11.com
123.cd
123.cd
336655.com
336655.com
9978.net
9978.net
114la.com
114la.com
520.com
520.com
6l.cn
6l.cn
420.cn
420.cn
v989.com
v989.com
16551.com
16551.com
2tvv.com
2tvv.com
m4455.com
m4455.com
5987.net
5987.net
7999.com
7999.com
caipopo.com
caipopo.com
wndhw.com
wndhw.com
henku123.com
henku123.com
qu123.com
qu123.com
94176.com
94176.com
u526.com
u526.com
haokan123.com
haokan123.com
uusee.net
uusee.net
9733.com
9733.com
qnrwz.com
qnrwz.com
999w.com
999w.com
h935.com
h935.com
33250.com
33250.com
tz911.net
tz911.net
639e.com
639e.com
920xx.cn
920xx.cn
13393.com
13393.com
tncdh.com
tncdh.com
sou185.com
sou185.com
3566.cc
3566.cc
580so.com
580so.com
2001.cc
2001.cc
hnhao123.com
hnhao123.com
zz5.net.cn
zz5.net.cn
abc123.name
abc123.name
ekan123.com
ekan123.com
1266.cc
1266.cc
hao123.cc
hao123.cc
126.cc
126.cc
ie1788.com
ie1788.com
58daohang.com
58daohang.com
6dh.com
6dh.com
991.cn
991.cn
114la.me
114la.me
1133.cc
1133.cc
ads8.com
ads8.com
haoz.com
haoz.com
jsing.net
jsing.net
123.sogou.com
123.sogou.com
3321.com
3321.com
1155.cc
1155.cc
hao123.com
hao123.com
hao123.net
hao123.net
6700.cn
6700.cn
168.com
168.com
uu881.com
uu881.com
6264.cn
6264.cn
606600.com
606600.com
2345.com
2345.com
5607.cn
5607.cn
1111116.com
1111116.com
v7799.com
v7799.com
ie7.com.cn
ie7.com.cn
365t.cc
365t.cc
89679.com
89679.com
35029.com
35029.com
8d9a.cn
8d9a.cn
400zm.com
400zm.com
58816.com
58816.com
727dh.cn
727dh.cn
hao123w.com
hao123w.com
114td.com
114td.com
28101.cn
28101.cn
03336.cn
03336.cn
79001.cn
79001.cn
133132.com
133132.com
3434.com.cn
3434.com.cn
828dh.cn
828dh.cn
64500.cn
64500.cn
22q.cc
22q.cc
jj77.com
jj77.com
vvyy.net
vvyy.net
ie567.com
ie567.com
5d5e.com
5d5e.com
212dh.cn
212dh.cn
911g.cn
911g.cn
1616.la
1616.la
tomatolei.com
tomatolei.com
96nn.com
96nn.com
5543.com
5543.com
2288.org
2288.org
3322.org
3322.org
9966.org
9966.org
8800.org
8800.org
8866.org
8866.org
7766.org
7766.org
22409.com
22409.com
se-se.info
se-se.info
26043.com
26043.com
34414.com
34414.com
gaoav1.info
gaoav1.info
0558114.com
0558114.com
3333dh.cn
3333dh.cn
zjialin.com
zjialin.com
22dao.com
22dao.com
soupay.com
soupay.com
langlangdoor.com
langlangdoor.com
99cu.com
99cu.com
5555dh.cn
5555dh.cn
wang123.net
wang123.net
haaoo123.com
haaoo123.com
3645.com
3645.com
hao123q.com
hao123q.com
tvsooo.com
tvsooo.com
gaituba.com
gaituba.com
45566.net
45566.net
2298.cn
2298.cn
iexx.com
iexx.com
dh115.com
dh115.com
97sp.cn
97sp.cn
39r.cn
39r.cn
f8f8.cn
f8f8.cn
391kk.cn
391kk.cn
266.cc
266.cc
jysoso.net
jysoso.net
wg510.cn
wg510.cn
1155.com
1155.com
114d.org
114d.org
ie3721.com
ie3721.com
2142.cn
2142.cn
go2000.cc
go2000.cc
go2000.cn
go2000.cn
99521.com
99521.com
yeooo.com
yeooo.com
haha123.com
haha123.com
hao.360.cn
hao.360.cn
07707.cn
07707.cn
yy2000.net
yy2000.net
1111118.com
1111118.com
26281.com
26281.com
960dh.cn
960dh.cn
300.cc
300.cc
163333333.com.cn
163333333.com.cn
kz300.cn
kz300.cn
i3525.cn
i3525.cn
67881.net
67881.net
t2t2.net
t2t2.net
mm4000.cn
mm4000.cn
669dh.cn
669dh.cn
k58n.com
k58n.com
haoha123.com
haoha123.com
ab99.com
ab99.com
i2255.com
i2255.com
054.cc
054.cc
fffggqq.cn
fffggqq.cn
k2345.net
k2345.net
vv33.com
vv33.com
tuku6.com
tuku6.com
mmpp654.com
mmpp654.com
228dh.cn
228dh.cn
seibb.com
seibb.com
14164.com
14164.com
552dh.cn
552dh.cn
hao969.com
hao969.com
lalamao.com
lalamao.com
21225.cn
21225.cn
5k5.net
5k5.net
65630.cn
65630.cn
at46.cn
at46.cn
98928.cn
98928.cn
ads.eorezo.com
ads.eorezo.com
661dh.cn
661dh.cn
6320.com
6320.com
henbianjie.com
henbianjie.com
xiushe.com
xiushe.com
5mqxmq.com
5mqxmq.com
989228.com
989228.com
i8844.cn
i8844.cn
g1476.cn
g1476.cn
4j4j.cn
4j4j.cn
1777zzw5.com
1777zzw5.com
989228.cn
989228.cn
henbucuo.com
henbucuo.com
886dh.cn
886dh.cn
2255.net
2255.net
160yes.com
160yes.com
u8s.cn
u8s.cn
16711.com
16711.com
626dh.cn
626dh.cn
rfwow.cn
rfwow.cn
baiyici.cn
baiyici.cn
lalamao.cn
lalamao.cn
136s.com
136s.com
huhuyy.cn
huhuyy.cn
8diq.com
8diq.com
d2fs.cn
d2fs.cn
0229.com
0229.com
yy4000.com
yy4000.com
9934.cn
9934.cn
3883.net
3883.net
151dh.com
151dh.com
26dh.cn
26dh.cn
kkwwxx.com
kkwwxx.com
t67.net
t67.net
29dao.cn
29dao.cn
58ju.com
58ju.com
dnc8.net
dnc8.net
yl177.com.cn
yl177.com.cn
xj.cn
xj.cn
950990.cn
950990.cn
114.com.cn
114.com.cn
xxxip.cn
xxxip.cn
3628.com
3628.com
265.cc
265.cc
26.la
26.la
5654.com
5654.com
zg115.com
zg115.com
969dh.cn
969dh.cn
111555.com.cn
111555.com.cn
pic.jinti.com
pic.jinti.com
kk8000.com
kk8000.com
wokaokao.cn
wokaokao.cn
duoxxppmmkoo.com
duoxxppmmkoo.com
kanlink.cn
kanlink.cn
91youa.com
91youa.com
shinia.cn
shinia.cn
pp9pp9.cn
pp9pp9.cn
ma80.com
ma80.com
556dh.cn
556dh.cn
bu4.cn
bu4.cn
8555.com
8555.com
e23.la
e23.la
flash678.cn
flash678.cn
yy4000.cn
yy4000.cn
wo333.com
wo333.com
mv700.com
mv700.com
xcwhgx.cn
xcwhgx.cn
3s11.cn
3s11.cn
sp16888.com
sp16888.com
k7k7.com
k7k7.com
zzw5.com
zzw5.com
okdianying.com
okdianying.com
789bb.com
789bb.com
antuoo.com
antuoo.com
so06.com
so06.com
665532.cn
665532.cn
7f7f.com
7f7f.com
k261.com
k261.com
fanbaidu.org.cn
fanbaidu.org.cn
iu888.cn
iu888.cn
977k.com
977k.com
93w.com
93w.com
68566.com.cn
68566.com.cn
zhidao163.cn
zhidao163.cn
it958.cn
it958.cn
lx8000.cn
lx8000.cn
sc.cn
sc.cn
ucuc.cc
ucuc.cc
kkdowns.com
kkdowns.com
189189.com
189189.com
0002.com
0002.com
4737.cn
4737.cn
226dh.cn
226dh.cn
bb115.cn
bb115.cn
06000.cn
06000.cn
u87.cn
u87.cn
sohao123.com
sohao123.com
k887.com
k887.com
hao602.com
hao602.com
t7t7.net
t7t7.net
ku4000.cn
ku4000.cn
v6677.cn
v6677.cn
hong666.com
hong666.com
4000a.com
4000a.com
kk4000.cn
kk4000.cn
7767.com
7767.com
11227.cn
11227.cn
u9u9.net
u9u9.net
28113.cn
28113.cn
rr55.com
rr55.com
a4000.cn
a4000.cn
yunfujkw.cn
yunfujkw.cn
886.com
886.com
2800.cer.cn
2800.cer.cn
zyyu.com
zyyu.com
49la.com
49la.com
hi3000.cn
hi3000.cn
sogouliulanqi.com
sogouliulanqi.com
888ge.com
888ge.com
00333.cn
00333.cn
29wz.com
29wz.com
soso126.com
soso126.com
180wan.com
180wan.com
kan888.com
kan888.com
4929.cn
4929.cn
v2233.com
v2233.com
m345.cn
m345.cn
tt265.net
tt265.net
18ttt.com
18ttt.com
153.cc
153.cc
00664.cn
00664.cn
gugogo.com
gugogo.com
kk4000.com
kk4000.com
185b.com
185b.com
uuent.com
uuent.com
6666dh.cn
6666dh.cn
25dao.com
25dao.com
shangla.com
shangla.com
77177.cn
77177.cn
haoq123.com
haoq123.com
baiduo.org
baiduo.org
lejiu.net
lejiu.net
dianxin.cn
dianxin.cn
u7758.com
u7758.com
dao234.com
dao234.com
85692.com
85692.com
xiaosb.com
xiaosb.com
soso313.cn
soso313.cn
939dh.com
939dh.com
85952.com
85952.com
31346.com
31346.com
71528.com
71528.com
788dh.com
788dh.com
91695.com
91695.com
5566x.com
5566x.com
131u.com
131u.com
1149.cn
1149.cn
9281.net
9281.net
my115.net
my115.net
4119.cn
4119.cn
9m1.net
9m1.net
dh818.com
dh818.com
iehwz.com
iehwz.com
wa200.com
wa200.com
hao234.cc
hao234.cc
6781.com
6781.com
652dh.com
652dh.com
16811.com
16811.com
zhongshu.net
zhongshu.net
992k.com
992k.com
71628.com
71628.com
6701.com
6701.com
diyou.net
diyou.net
iehao123.com
iehao123.com
laidao123.com
laidao123.com
yinfen.net
yinfen.net
wz4321.com
wz4321.com
shangqu.info
shangqu.info
5121.net
5121.net
668g.com
668g.com
51150.com
51150.com
53ff.com
53ff.com
dada123.com
dada123.com
you2000.com
you2000.com
884599.cn
884599.cn
kuaijiong.com
kuaijiong.com
398.cn
398.cn
32387.com
32387.com
82vv.com
82vv.com
46.com
46.com
09tao.com
09tao.com
977dh.com
977dh.com
598.net
598.net
211dh.com
211dh.com
9365.info
9365.info
wblive.com
wblive.com
e722.com
e722.com
v232.com
v232.com
7400.net
7400.net
62106.com
62106.com
ll4xi.com
ll4xi.com
3932.com
3932.com
puZeng.com
puZeng.com
97199.com
97199.com
447.cc
447.cc
0749.com
0749.com
6656.net
6656.net
niebai.com
niebai.com
447.com
447.com
uuchina.net
uuchina.net
hao123cn.info
hao123cn.info
dao666.com
dao666.com
9813.org
9813.org
91kk.com
91kk.com
freedh.info
freedh.info
yidaba.com
yidaba.com
161111111.com
161111111.com
009dh.com
009dh.com
qsxx.cn
qsxx.cn
geyuan.net
geyuan.net
8t8.net
8t8.net
xorg.pl
xorg.pl
bij.pl
bij.pl
qqnz.com
qqnz.com
srpkw.com
srpkw.com
gggdu.com
gggdu.com
baiduo.com
baiduo.com
wys99.com
wys99.com
leilei.cc
leilei.cc
3633.net
3633.net
fjta.com
fjta.com
so11.cn
so11.cn
522dh.com
522dh.com
9249.com
9249.com
3110.cn
3110.cn
300cc.com
300cc.com
7669.cn
7669.cn
5c6.com
5c6.com
7993.cn
7993.cn
8336.cn
8336.cn
03m.net
03m.net
ou33.com
ou33.com
bv0.net
bv0.net
163333333.cn
163333333.cn
45575.com
45575.com
2637.cn
2637.cn
skyhouse.com.cn
skyhouse.com.cn
98453.com
98453.com
65642.net
65642.net
776la.com
776la.com
256.CC
256.CC
114king.cn
114king.cn
yyyqq.com
yyyqq.com
huhu123.com
huhu123.com
gyyx.cn
gyyx.cn
2888.me
2888.me
4444dh.cn
4444dh.cn
191pk.com
191pk.com
118.com
118.com
57xswz.com
57xswz.com
how18.cn
how18.cn
sohu12333333.com
sohu12333333.com
xz26.com
xz26.com
654v.com
654v.com
280580.cn
280580.cn
fjgqw.com
fjgqw.com
49558.cn
49558.cn
pp8000.cn
pp8000.cn
265it.com
265it.com
soolaa.com
soolaa.com
9899.cn
9899.cn
18143.com
18143.com
haoxyz.com
haoxyz.com
4555.net
4555.net
10du.net
10du.net
528988.com
528988.com
wahahaha123.com
wahahaha123.com
c256.cn
c256.cn
chinaih.com
chinaih.com
mnv.cn
mnv.cn
633dh.com
633dh.com
ncjxx.com
ncjxx.com
51721.net
51721.net
556w.com
556w.com
114cc.net
114cc.net
5go.com.cn
5go.com.cn
pp4000.com
pp4000.com
8844.com
8844.com
dd335.cn
dd335.cn
qu163.net
qu163.net
itwenba.cn
itwenba.cn
dou2game.cn
dou2game.cn
h220.com
h220.com
neng123.com
neng123.com
pleoc.cn
pleoc.cn
6006.cc
6006.cc
987654.com
987654.com
39903.com
39903.com
ddoowwnn.cn
ddoowwnn.cn
788111.com
788111.com
zhidao001.com
zhidao001.com
5hao123.com
5hao123.com
978.la
978.la
135968.cn
135968.cn
bb112.com
bb112.com
r220.cn
r220.cn
365kong.com
365kong.com
woainame.cn
woainame.cn
okgouwu.cn
okgouwu.cn
hao006.com
hao006.com
jipinla.com
jipinla.com
99467.com
99467.com
wawamm.cn
wawamm.cn
qian14.cn
qian14.cn
ip27.cn
ip27.cn
56dh.cn
56dh.cn
2966.com
2966.com
game333.net
game333.net
kukuwz.com
kukuwz.com
1-xiu.cn
1-xiu.cn
92hao123.com
92hao123.com
lian9.cn
lian9.cn
222q.cn
222q.cn
jj98.com
jj98.com
73vv.com
73vv.com
mubanw.com
mubanw.com
t262.com
t262.com
x1258.cn
x1258.cn
weishi66.cn
weishi66.cn
hao990.com
hao990.com
68la.com
68la.com
sowang123.cn
sowang123.cn
3929.cn
3929.cn
5665.cn
5665.cn
81sf.com
81sf.com
kz123.cn
kz123.cn
qq806.cn
qq806.cn
ffwyt.com
ffwyt.com
kpscc.sys
kpscc.sys
\\.\MYFL
\\.\MYFL
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
c:\RECYCLER\winlogon.exe
c:\RECYCLER\winlogon.exe
RavExt.dll
RavExt.dll
bsmain.exe
bsmain.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
2009.lnk
2009.lnk
2010.lnk
2010.lnk
Common Files\Microsoft Shared\explorer.exe
Common Files\Microsoft Shared\explorer.exe
ips888.dll
ips888.dll
autorun.inf
autorun.inf
}.exe
}.exe
My Documents.exe
My Documents.exe
hXXp://VVV.dh008.com/?ie
hXXp://VVV.dh008.com/?ie
winlogon.exe
winlogon.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
Intennet Exploner.lnk
Intennet Exploner.lnk
A.url
A.url
C.url
C.url
&.url
&.url
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\TSTP
C:\TSTP
C:\TSTP\winlogon.exe
C:\TSTP\winlogon.exe
C:\TSTP\
C:\TSTP\
TSPS.lnk
TSPS.lnk
c:\85S22.dat
c:\85S22.dat
svchost.exe
svchost.exe
boot.ini
boot.ini
1681.lnk
1681.lnk
8970.lnk
8970.lnk
c:\MFILES\winlogon.exe
c:\MFILES\winlogon.exe
explorer.exe hXXp://VVV.dh008.com/?TJ-
explorer.exe hXXp://VVV.dh008.com/?TJ-
Shareds.dll
Shareds.dll
q9q.dll
q9q.dll
TaskTray.dll
TaskTray.dll
Q888.dll
Q888.dll
LoginCtrl.dll
LoginCtrl.dll
x0x.dll
x0x.dll
mp.dll
mp.dll
xlooo.dll
xlooo.dll
TaskManager.dll
TaskManager.dll
explorer.exe
explorer.exe
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
taskmgr.exe
taskmgr.exe
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
SetWindowsHookExA
SetWindowsHookExA
IMAGEHLP.DLL
IMAGEHLP.DLL
nthide.dll
nthide.dll
KWindows
KWindows
shell\open\Command=svchost.exe
shell\open\Command=svchost.exe
shell\explore\Command=svchost.exe
shell\explore\Command=svchost.exe
c:\TSTP\winlogon.exe
c:\TSTP\winlogon.exe
AutoRun.inf
AutoRun.inf
mmp.dat
mmp.dat
hXXp://VVV.dh008.com/?Dll
hXXp://VVV.dh008.com/?Dll
WinExec
WinExec
shell32.dll
shell32.dll
Q08.dll
Q08.dll
3#43494>4
3#43494>4
UrlMon
UrlMon
Q09.dll
Q09.dll
xlo.dll
xlo.dll
xln.dll
xln.dll
IEXPLORE.EXE
IEXPLORE.EXE
%Program Files%\Internet Explorer\IEXPLORE.EXE
%Program Files%\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
URL=hXXp://888.qq2233.com/
URL=hXXp://888.qq2233.com/
URL=hXXp://888.qq2233.com/taobao.htm
URL=hXXp://888.qq2233.com/taobao.htm
URL=hXXp://VVV.vol777.com/?Dll
URL=hXXp://VVV.vol777.com/?Dll
;=!`;=)`
;=!`;=)`
;=&` winlogon.exe
;=&` winlogon.exe
;=&`;=&`
;=&`;=&`
.text
.text
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
PID is:%d
PID is:%d
MyPspaddress is: X
MyPspaddress is: X
NTOSKRNL.EXE
NTOSKRNL.EXE
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
.rdata
.rdata
.vol7
.vol7
( X
( X
.LjR=W
.LjR=W
.Jbjx=
.Jbjx=
KERNEL32.DLL
KERNEL32.DLL
oleaut32.dll
oleaut32.dll
>..\..\..\..\..\..\Program Files\Internet Explorer\IEXPLORE.EXE"%Program Files%\Internet Explorer
>..\..\..\..\..\..\Program Files\Internet Explorer\IEXPLORE.EXE"%Program Files%\Internet Explorer
hXXp://VVV.sfc007.com/?98`
hXXp://VVV.sfc007.com/?98`
hXXp://VVV.sfc007.com/?98
hXXp://VVV.sfc007.com/?98
..\..\..\TSTP\winlogon.exe
..\..\..\TSTP\winlogon.exe
C:\TSTP`
C:\TSTP`
explorer.exe_3900_rwx_00401000_00050000:
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
PSAPI.dll
PSAPI.dll
safeboxTray.exe
safeboxTray.exe
360Safe.exe
360Safe.exe
360safebox.exe
360safebox.exe
360tray.exe
360tray.exe
ravcopy.exe
ravcopy.exe
AvastU3.exe
AvastU3.exe
ScanU3.exe
ScanU3.exe
AvU3Launcher.exe
AvU3Launcher.exe
QQPCMgr.exe
QQPCMgr.exe
runiep.exe
runiep.exe
rfwmain.exe
rfwmain.exe
rfwsrv.exe
rfwsrv.exe
KAVPF.exe
KAVPF.exe
KPFW32.exe
KPFW32.exe
nod32kui.exe
nod32kui.exe
nod32.exe
nod32.exe
Navapsvc.exe
Navapsvc.exe
SelfUpdate.exe
SelfUpdate.exe
QQPCRTP.exe
QQPCRTP.exe
Navapw32.exe
Navapw32.exe
avconsol.exe
avconsol.exe
webscanx.exe
webscanx.exe
NPFMntor.exe
NPFMntor.exe
vsstat.exe
vsstat.exe
zjb.exe
zjb.exe
KPfwSvc.exe
KPfwSvc.exe
QQDoctorMain.exe
QQDoctorMain.exe
RavTask.exe
RavTask.exe
atpup.exe
atpup.exe
mmsk.exe
mmsk.exe
WoptiClean.exe
WoptiClean.exe
QQKav.exe
QQKav.exe
EGHOST.exe
EGHOST.exe
QQDoctor.exe
QQDoctor.exe
RegClean.exe
RegClean.exe
FYFireWall.exe
FYFireWall.exe
iparmo.exe
iparmo.exe
adam.exe
adam.exe
KWSMain.exe
KWSMain.exe
IceSword.exe
IceSword.exe
360rpt.exe
360rpt.exe
AgentSvr.exe
AgentSvr.exe
AppSvc32.exe
AppSvc32.exe
autoruns.exe
autoruns.exe
avgrssvc.exe
avgrssvc.exe
DSMain.exe
DSMain.exe
360sd.exe
360sd.exe
kwstray.exe
kwstray.exe
AvMonitor.exe
AvMonitor.exe
CCenter.exe
CCenter.exe
ccSvcHst.exe
ccSvcHst.exe
FileDsty.exe
FileDsty.exe
FTCleanerShell.exe
FTCleanerShell.exe
HijackThis.exe
HijackThis.exe
Iparmor.exe
Iparmor.exe
isPwdSvc.exe
isPwdSvc.exe
KSWebShield.exe
KSWebShield.exe
kabaload.exe
kabaload.exe
KaScrScn.SCR
KaScrScn.SCR
KASMain.exe
KASMain.exe
KASTask.exe
KASTask.exe
AntiU.exe
AntiU.exe
KAV32.exe
KAV32.exe
KAVDX.exe
KAVDX.exe
KAVPFW.exe
KAVPFW.exe
KAVSetup.exe
KAVSetup.exe
ArSwp2.exe
ArSwp2.exe
KISLnchr.exe
KISLnchr.exe
KMailMon.exe
KMailMon.exe
KMFilter.exe
KMFilter.exe
KPFW32X.exe
KPFW32X.exe
KPFWSvc.exe
KPFWSvc.exe
KRegEx.exe
KRegEx.exe
KsLoader.exe
KsLoader.exe
KVCenter.kxp
KVCenter.kxp
ArSwp3.exe
ArSwp3.exe
KvDetect.exe
KvDetect.exe
KvfwMcl.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP.kxp
KVMonXP_1.kxp
KVMonXP_1.kxp
kvol.exe
kvol.exe
kvolself.exe
kvolself.exe
KVScan.kxp
KVScan.kxp
KVSrvXP.exe
KVSrvXP.exe
KVStub.kxp
KVStub.kxp
kvupload.exe
kvupload.exe
kvwsc.exe
kvwsc.exe
KvXP.kxp
KvXP.kxp
KvXP_1.kxp
KvXP_1.kxp
KWatch.exe
KWatch.exe
KWatch9x.exe
KWatch9x.exe
KWatchX.exe
KWatchX.exe
loaddll.exe
loaddll.exe
MagicSet.exe
MagicSet.exe
PFW.exe
PFW.exe
mcconsol.exe
mcconsol.exe
QQPCTray.exe
QQPCTray.exe
nod32krn.exe
nod32krn.exe
PFWLiveUpdate.exe
PFWLiveUpdate.exe
QHSET.exe
QHSET.exe
RavStub.exe
RavStub.exe
Ras.exe
Ras.exe
rfwcfg.exe
rfwcfg.exe
RfwMain.exe
RfwMain.exe
RsAgent.exe
RsAgent.exe
Rsaupd.exe
Rsaupd.exe
safelive.exe
safelive.exe
irsetup.exe
irsetup.exe
scan32.exe
scan32.exe
shcfg32.exe
shcfg32.exe
SmartUp.exe
SmartUp.exe
SREng.EXE
SREng.EXE
symlcsvc.exe
symlcsvc.exe
SysSafe.exe
SysSafe.exe
TrojanDetector.exe
TrojanDetector.exe
Trojanwall.exe
Trojanwall.exe
KWSUpd.exe
KWSUpd.exe
UIHost.exe
UIHost.exe
UmxAgent.exe
UmxAgent.exe
UmxAttachment.exe
UmxAttachment.exe
360sdrun.exe
360sdrun.exe
UmxCfg.exe
UmxCfg.exe
UmxFwHlp.exe
UmxFwHlp.exe
UmxPol.exe
UmxPol.exe
UpLive.exe
UpLive.exe
upiea.exe
upiea.exe
AST.exe
AST.exe
ArSwp.exe
ArSwp.exe
USBCleaner.exe
USBCleaner.exe
rstrui.exe
rstrui.exe
KvReport.kxp
KvReport.kxp
QQSC.exe
QQSC.exe
ghost.exe
ghost.exe
KRepair.com
KRepair.com
SREngPS.EXE
SREngPS.EXE
XDelBox.exe
XDelBox.exe
kpfw32.exe
kpfw32.exe
kavstart.exe
kavstart.exe
kpfwsvc.exe
kpfwsvc.exe
kmailmon.exe
kmailmon.exe
kissvc.exe
kissvc.exe
appdllman.exe
appdllman.exe
~.exe
~.exe
sos.exe
sos.exe
UFO.exe
UFO.exe
TNT.Exe
TNT.Exe
niu.exe
niu.exe
XP.exe
XP.exe
Wsyscheck.exe
Wsyscheck.exe
TxoMoU.Exe
TxoMoU.Exe
AoYun.exe
AoYun.exe
auto.exe
auto.exe
AutoRun.exe
AutoRun.exe
av.exe
av.exe
zxsweep.exe
zxsweep.exe
cross.exe
cross.exe
Discovery.exe
Discovery.exe
guangd.exe
guangd.exe
kernelwind32.exe
kernelwind32.exe
logogo.exe
logogo.exe
kwatch.exe
kwatch.exe
QQDoctorRtp.exe
QQDoctorRtp.exe
NAVSetup.exe
NAVSetup.exe
pagefile.exe
pagefile.exe
pagefile.pif
pagefile.pif
rfwProxy.exe
rfwProxy.exe
SDGames.exe
SDGames.exe
servet.exe
servet.exe
KAVStart.exe
KAVStart.exe
mmqczj.exe
mmqczj.exe
TrojDie.kxp
TrojDie.kxp
RavMonD.exe
RavMonD.exe
Rav.exe
Rav.exe
RavMon.exe
RavMon.exe
RsTray.exe
RsTray.exe
ScanFrm.exe
ScanFrm.exe
rsnetsvr.exe
rsnetsvr.exe
arswp2.exe
arswp2.exe
arswp3.exe
arswp3.exe
zhudongfangyu.exe
zhudongfangyu.exe
799d.exe
799d.exe
stormii.exe
stormii.exe
tmp.exe
tmp.exe
jisu.exe
jisu.exe
filmst.exe
filmst.exe
qheart.exe
qheart.exe
qsetup.exe
qsetup.exe
sxgame.exe
sxgame.exe
wbapp.exe
wbapp.exe
pfserver.exe
pfserver.exe
QQPCSmashFile.exe
QQPCSmashFile.exe
avp.com
avp.com
avp.exe
avp.exe
iq123.com
iq123.com
yijidh.com
yijidh.com
250dh.cn
250dh.cn
223.la
223.la
kuku123.com
kuku123.com
930930.com
930930.com
9123.com
9123.com
hao123e.com
hao123e.com
020.com
020.com
youxi777.com
youxi777.com
1616.net
1616.net
1188.com
1188.com
urldh.com
urldh.com
daohang.la
daohang.la
pp55.com
pp55.com
9605.com
9605.com
05505.cn
05505.cn
7055.net
7055.net
0056.com
0056.com
6655.com
6655.com
1166.com
1166.com
5kip.com
5kip.com
114xia.com
114xia.com
265dh.com
265dh.com
3567.com
3567.com
6565.cn
6565.cn
666t.com
666t.com
9223.com
9223.com
dduu.com
dduu.com
hao123.cn
hao123.cn
5snow.com
5snow.com
2523.com
2523.com
5599.net
5599.net
tt98.com
tt98.com
zhaodao123.com
zhaodao123.com
kuhao123.com
kuhao123.com
5151la.net
5151la.net
6h.com.cn
6h.com.cn
zeibi.com
zeibi.com
6e8e.com
6e8e.com
th123.com
th123.com
9991.com
9991.com
hao123ol.com
hao123ol.com
wu123.com
wu123.com
t220.cn
t220.cn
ttver.net
ttver.net
188HI.com
188HI.com
go2000.com
go2000.com
5igb.com
5igb.com
bb2000.net
bb2000.net
9wa.com
9wa.com
qq5.com
qq5.com
365j.com
365j.com
7345.com
7345.com
2760.com
2760.com
361la.com
361la.com
haojs.com
haojs.com
5zd.com
5zd.com
i8866.com
i8866.com
100wz.com
100wz.com
114hi.com
114hi.com
234.la
234.la
657.com
657.com
339.la
339.la
365wz.net
365wz.net
7792.com
7792.com
9495.com
9495.com
dazuimao.com
dazuimao.com
71314.com
71314.com
265.com
265.com
gouwo.com
gouwo.com
huai456.com
huai456.com
ku256.com
ku256.com
my180.com
my180.com
2522.cn
2522.cn
405.cn
405.cn
44244.com
44244.com
111dh.com
111dh.com
115ku.com
115ku.com
13387.com
13387.com
163yes.com
163yes.com
256s.com
256s.com
2676.com
2676.com
3355.net
3355.net
365lo.com
365lo.com
4168.com
4168.com
4545.cn
4545.cn
4688.com
4688.com
566.net
566.net
5666.net
5666.net
5733.com
5733.com
6461.cn
6461.cn
7356.com
7356.com
800186.com
800186.com
85851.com
85851.com
asp51.com
asp51.com
361dh.com
361dh.com
5566.net
5566.net
yulinweb.com
yulinweb.com
6296.com.cn
6296.com.cn
mianfeia.com
mianfeia.com
ai1234.com
ai1234.com
k369.com
k369.com
msncn.com
msncn.com
ss256.com
ss256.com
min513.com
min513.com
88-888.com
88-888.com
lggg.cn
lggg.cn
7771.cn
7771.cn
leeboo.com
leeboo.com
jjol.cn
jjol.cn
5566.com
5566.com
9166.net
9166.net
hao253.com
hao253.com
7b.com.cn
7b.com.cn
haoei.com
haoei.com
77114.com
77114.com
21310.cn
21310.cn
weiduomei.net
weiduomei.net
kk3000.cn
kk3000.cn
7241.cn
7241.cn
44384.com
44384.com
daohang1234.com
daohang1234.com
131.cc
131.cc
223224.com
223224.com
537.com
537.com
9348.cn
9348.cn
bju123.cn
bju123.cn
i4455.com
i4455.com
jia123.com
jia123.com
0666.com.cn
0666.com.cn
553.la
553.la
5566.org
5566.org
37021.com
37021.com
88488.com
88488.com
99986.net
99986.net
37021.net
37021.net
k986.com
k986.com
cc62.com
cc62.com
5518.cn
5518.cn
55620.com
55620.com
52416.com
52416.com
7357.cn
7357.cn
8c8c.net
8c8c.net
9999q.com
9999q.com
123shi123.com
123shi123.com
yl234.cn
yl234.cn
3322.com
3322.com
hao222.com
hao222.com
6313.com
6313.com
f127.com
f127.com
5599cn.cn
5599cn.cn
99499.com
99499.com
2548.cn
2548.cn
133.net
133.net
ie30.com
ie30.com
8751.com
8751.com
160dh.com
160dh.com
114115.com
114115.com
1322.cn
1322.cn
hh361.com
hh361.com
2800.cc
2800.cc
52daohang.com
52daohang.com
186.me
186.me
diyidh.com
diyidh.com
zaodezhu.com
zaodezhu.com
7832.com
7832.com
3073.com
3073.com
2058.cc
2058.cc
3456.cc
3456.cc
7771.com
7771.com
q6789.com
q6789.com
7k.cc
7k.cc
dianzi88.com
dianzi88.com
7802.com
7802.com
xinbut.com
xinbut.com
59688.com
59688.com
gjj.cc
gjj.cc
youla.com
youla.com
ok1616.com
ok1616.com
i2345.cn
i2345.cn
gg8000.com
gg8000.com
daohang12345.cn
daohang12345.cn
inina.cn
inina.cn
dowei.com
dowei.com
1515.net
1515.net
41119.cn
41119.cn
21230.cn
21230.cn
97youku.com
97youku.com
fast35.net
fast35.net
m32.cn
m32.cn
tom155.cn
tom155.cn
668yo.com
668yo.com
online.cq.cn
online.cq.cn
shagua.cn
shagua.cn
007247.cn
007247.cn
603467.cn
603467.cn
197326.cn
197326.cn
wwwoj.cn
wwwoj.cn
xp22.cn
xp22.cn
84022.cn
84022.cn
520593.cn
520593.cn
448789.cn
448789.cn
141321.cn
141321.cn
36gggg.cn
36gggg.cn
427842.cn
427842.cn
niubihao123.cn
niubihao123.cn
ovooo.cn
ovooo.cn
rtys520.net
rtys520.net
rtxzw.com
rtxzw.com
uurenti.cc
uurenti.cc
bo.dy288.com
bo.dy288.com
renti11.com
renti11.com
123.cd
123.cd
336655.com
336655.com
9978.net
9978.net
114la.com
114la.com
520.com
520.com
6l.cn
6l.cn
420.cn
420.cn
v989.com
v989.com
16551.com
16551.com
2tvv.com
2tvv.com
m4455.com
m4455.com
5987.net
5987.net
7999.com
7999.com
caipopo.com
caipopo.com
wndhw.com
wndhw.com
henku123.com
henku123.com
qu123.com
qu123.com
94176.com
94176.com
u526.com
u526.com
haokan123.com
haokan123.com
uusee.net
uusee.net
9733.com
9733.com
qnrwz.com
qnrwz.com
999w.com
999w.com
h935.com
h935.com
33250.com
33250.com
tz911.net
tz911.net
639e.com
639e.com
920xx.cn
920xx.cn
13393.com
13393.com
tncdh.com
tncdh.com
sou185.com
sou185.com
3566.cc
3566.cc
580so.com
580so.com
2001.cc
2001.cc
hnhao123.com
hnhao123.com
zz5.net.cn
zz5.net.cn
abc123.name
abc123.name
ekan123.com
ekan123.com
1266.cc
1266.cc
hao123.cc
hao123.cc
126.cc
126.cc
ie1788.com
ie1788.com
58daohang.com
58daohang.com
6dh.com
6dh.com
991.cn
991.cn
114la.me
114la.me
1133.cc
1133.cc
ads8.com
ads8.com
haoz.com
haoz.com
jsing.net
jsing.net
123.sogou.com
123.sogou.com
3321.com
3321.com
1155.cc
1155.cc
hao123.com
hao123.com
hao123.net
hao123.net
6700.cn
6700.cn
168.com
168.com
uu881.com
uu881.com
6264.cn
6264.cn
606600.com
606600.com
2345.com
2345.com
5607.cn
5607.cn
1111116.com
1111116.com
v7799.com
v7799.com
ie7.com.cn
ie7.com.cn
365t.cc
365t.cc
89679.com
89679.com
35029.com
35029.com
8d9a.cn
8d9a.cn
400zm.com
400zm.com
58816.com
58816.com
727dh.cn
727dh.cn
hao123w.com
hao123w.com
114td.com
114td.com
28101.cn
28101.cn
03336.cn
03336.cn
79001.cn
79001.cn
133132.com
133132.com
3434.com.cn
3434.com.cn
828dh.cn
828dh.cn
64500.cn
64500.cn
22q.cc
22q.cc
jj77.com
jj77.com
vvyy.net
vvyy.net
ie567.com
ie567.com
5d5e.com
5d5e.com
212dh.cn
212dh.cn
911g.cn
911g.cn
1616.la
1616.la
tomatolei.com
tomatolei.com
96nn.com
96nn.com
5543.com
5543.com
2288.org
2288.org
3322.org
3322.org
9966.org
9966.org
8800.org
8800.org
8866.org
8866.org
7766.org
7766.org
22409.com
22409.com
se-se.info
se-se.info
26043.com
26043.com
34414.com
34414.com
gaoav1.info
gaoav1.info
0558114.com
0558114.com
3333dh.cn
3333dh.cn
zjialin.com
zjialin.com
22dao.com
22dao.com
soupay.com
soupay.com
langlangdoor.com
langlangdoor.com
99cu.com
99cu.com
5555dh.cn
5555dh.cn
wang123.net
wang123.net
haaoo123.com
haaoo123.com
3645.com
3645.com
hao123q.com
hao123q.com
tvsooo.com
tvsooo.com
gaituba.com
gaituba.com
45566.net
45566.net
2298.cn
2298.cn
iexx.com
iexx.com
dh115.com
dh115.com
97sp.cn
97sp.cn
39r.cn
39r.cn
f8f8.cn
f8f8.cn
391kk.cn
391kk.cn
266.cc
266.cc
jysoso.net
jysoso.net
wg510.cn
wg510.cn
1155.com
1155.com
114d.org
114d.org
ie3721.com
ie3721.com
2142.cn
2142.cn
go2000.cc
go2000.cc
go2000.cn
go2000.cn
99521.com
99521.com
yeooo.com
yeooo.com
haha123.com
haha123.com
hao.360.cn
hao.360.cn
07707.cn
07707.cn
yy2000.net
yy2000.net
1111118.com
1111118.com
26281.com
26281.com
960dh.cn
960dh.cn
300.cc
300.cc
163333333.com.cn
163333333.com.cn
kz300.cn
kz300.cn
i3525.cn
i3525.cn
67881.net
67881.net
t2t2.net
t2t2.net
mm4000.cn
mm4000.cn
669dh.cn
669dh.cn
k58n.com
k58n.com
haoha123.com
haoha123.com
ab99.com
ab99.com
i2255.com
i2255.com
054.cc
054.cc
fffggqq.cn
fffggqq.cn
k2345.net
k2345.net
vv33.com
vv33.com
tuku6.com
tuku6.com
mmpp654.com
mmpp654.com
228dh.cn
228dh.cn
seibb.com
seibb.com
14164.com
14164.com
552dh.cn
552dh.cn
hao969.com
hao969.com
lalamao.com
lalamao.com
21225.cn
21225.cn
5k5.net
5k5.net
65630.cn
65630.cn
at46.cn
at46.cn
98928.cn
98928.cn
ads.eorezo.com
ads.eorezo.com
661dh.cn
661dh.cn
6320.com
6320.com
henbianjie.com
henbianjie.com
xiushe.com
xiushe.com
5mqxmq.com
5mqxmq.com
989228.com
989228.com
i8844.cn
i8844.cn
g1476.cn
g1476.cn
4j4j.cn
4j4j.cn
1777zzw5.com
1777zzw5.com
989228.cn
989228.cn
henbucuo.com
henbucuo.com
886dh.cn
886dh.cn
2255.net
2255.net
160yes.com
160yes.com
u8s.cn
u8s.cn
16711.com
16711.com
626dh.cn
626dh.cn
rfwow.cn
rfwow.cn
baiyici.cn
baiyici.cn
lalamao.cn
lalamao.cn
136s.com
136s.com
huhuyy.cn
huhuyy.cn
8diq.com
8diq.com
d2fs.cn
d2fs.cn
0229.com
0229.com
yy4000.com
yy4000.com
9934.cn
9934.cn
3883.net
3883.net
151dh.com
151dh.com
26dh.cn
26dh.cn
kkwwxx.com
kkwwxx.com
t67.net
t67.net
29dao.cn
29dao.cn
58ju.com
58ju.com
dnc8.net
dnc8.net
yl177.com.cn
yl177.com.cn
xj.cn
xj.cn
950990.cn
950990.cn
114.com.cn
114.com.cn
xxxip.cn
xxxip.cn
3628.com
3628.com
265.cc
265.cc
26.la
26.la
5654.com
5654.com
zg115.com
zg115.com
969dh.cn
969dh.cn
111555.com.cn
111555.com.cn
pic.jinti.com
pic.jinti.com
kk8000.com
kk8000.com
wokaokao.cn
wokaokao.cn
duoxxppmmkoo.com
duoxxppmmkoo.com
kanlink.cn
kanlink.cn
91youa.com
91youa.com
shinia.cn
shinia.cn
pp9pp9.cn
pp9pp9.cn
ma80.com
ma80.com
556dh.cn
556dh.cn
bu4.cn
bu4.cn
8555.com
8555.com
e23.la
e23.la
flash678.cn
flash678.cn
yy4000.cn
yy4000.cn
wo333.com
wo333.com
mv700.com
mv700.com
xcwhgx.cn
xcwhgx.cn
3s11.cn
3s11.cn
sp16888.com
sp16888.com
k7k7.com
k7k7.com
zzw5.com
zzw5.com
okdianying.com
okdianying.com
789bb.com
789bb.com
antuoo.com
antuoo.com
so06.com
so06.com
665532.cn
665532.cn
7f7f.com
7f7f.com
k261.com
k261.com
fanbaidu.org.cn
fanbaidu.org.cn
iu888.cn
iu888.cn
977k.com
977k.com
93w.com
93w.com
68566.com.cn
68566.com.cn
zhidao163.cn
zhidao163.cn
it958.cn
it958.cn
lx8000.cn
lx8000.cn
sc.cn
sc.cn
ucuc.cc
ucuc.cc
kkdowns.com
kkdowns.com
189189.com
189189.com
0002.com
0002.com
4737.cn
4737.cn
226dh.cn
226dh.cn
bb115.cn
bb115.cn
06000.cn
06000.cn
u87.cn
u87.cn
sohao123.com
sohao123.com
k887.com
k887.com
hao602.com
hao602.com
t7t7.net
t7t7.net
ku4000.cn
ku4000.cn
v6677.cn
v6677.cn
hong666.com
hong666.com
4000a.com
4000a.com
kk4000.cn
kk4000.cn
7767.com
7767.com
11227.cn
11227.cn
u9u9.net
u9u9.net
28113.cn
28113.cn
rr55.com
rr55.com
a4000.cn
a4000.cn
yunfujkw.cn
yunfujkw.cn
886.com
886.com
2800.cer.cn
2800.cer.cn
zyyu.com
zyyu.com
49la.com
49la.com
hi3000.cn
hi3000.cn
sogouliulanqi.com
sogouliulanqi.com
888ge.com
888ge.com
00333.cn
00333.cn
29wz.com
29wz.com
soso126.com
soso126.com
180wan.com
180wan.com
kan888.com
kan888.com
4929.cn
4929.cn
v2233.com
v2233.com
m345.cn
m345.cn
tt265.net
tt265.net
18ttt.com
18ttt.com
153.cc
153.cc
00664.cn
00664.cn
gugogo.com
gugogo.com
kk4000.com
kk4000.com
185b.com
185b.com
uuent.com
uuent.com
6666dh.cn
6666dh.cn
25dao.com
25dao.com
shangla.com
shangla.com
77177.cn
77177.cn
haoq123.com
haoq123.com
baiduo.org
baiduo.org
lejiu.net
lejiu.net
dianxin.cn
dianxin.cn
u7758.com
u7758.com
dao234.com
dao234.com
85692.com
85692.com
xiaosb.com
xiaosb.com
soso313.cn
soso313.cn
939dh.com
939dh.com
85952.com
85952.com
31346.com
31346.com
71528.com
71528.com
788dh.com
788dh.com
91695.com
91695.com
5566x.com
5566x.com
131u.com
131u.com
1149.cn
1149.cn
9281.net
9281.net
my115.net
my115.net
4119.cn
4119.cn
9m1.net
9m1.net
dh818.com
dh818.com
iehwz.com
iehwz.com
wa200.com
wa200.com
hao234.cc
hao234.cc
6781.com
6781.com
652dh.com
652dh.com
16811.com
16811.com
zhongshu.net
zhongshu.net
992k.com
992k.com
71628.com
71628.com
6701.com
6701.com
diyou.net
diyou.net
iehao123.com
iehao123.com
laidao123.com
laidao123.com
yinfen.net
yinfen.net
wz4321.com
wz4321.com
shangqu.info
shangqu.info
5121.net
5121.net
668g.com
668g.com
51150.com
51150.com
53ff.com
53ff.com
dada123.com
dada123.com
you2000.com
you2000.com
884599.cn
884599.cn
kuaijiong.com
kuaijiong.com
398.cn
398.cn
32387.com
32387.com
82vv.com
82vv.com
46.com
46.com
09tao.com
09tao.com
977dh.com
977dh.com
598.net
598.net
211dh.com
211dh.com
9365.info
9365.info
wblive.com
wblive.com
e722.com
e722.com
v232.com
v232.com
7400.net
7400.net
62106.com
62106.com
ll4xi.com
ll4xi.com
3932.com
3932.com
puZeng.com
puZeng.com
97199.com
97199.com
447.cc
447.cc
0749.com
0749.com
6656.net
6656.net
niebai.com
niebai.com
447.com
447.com
uuchina.net
uuchina.net
hao123cn.info
hao123cn.info
dao666.com
dao666.com
9813.org
9813.org
91kk.com
91kk.com
freedh.info
freedh.info
yidaba.com
yidaba.com
161111111.com
161111111.com
009dh.com
009dh.com
qsxx.cn
qsxx.cn
geyuan.net
geyuan.net
8t8.net
8t8.net
xorg.pl
xorg.pl
bij.pl
bij.pl
qqnz.com
qqnz.com
srpkw.com
srpkw.com
gggdu.com
gggdu.com
baiduo.com
baiduo.com
wys99.com
wys99.com
leilei.cc
leilei.cc
3633.net
3633.net
fjta.com
fjta.com
so11.cn
so11.cn
522dh.com
522dh.com
9249.com
9249.com
3110.cn
3110.cn
300cc.com
300cc.com
7669.cn
7669.cn
5c6.com
5c6.com
7993.cn
7993.cn
8336.cn
8336.cn
03m.net
03m.net
ou33.com
ou33.com
bv0.net
bv0.net
163333333.cn
163333333.cn
45575.com
45575.com
2637.cn
2637.cn
skyhouse.com.cn
skyhouse.com.cn
98453.com
98453.com
65642.net
65642.net
776la.com
776la.com
256.CC
256.CC
114king.cn
114king.cn
yyyqq.com
yyyqq.com
huhu123.com
huhu123.com
gyyx.cn
gyyx.cn
2888.me
2888.me
4444dh.cn
4444dh.cn
191pk.com
191pk.com
118.com
118.com
57xswz.com
57xswz.com
how18.cn
how18.cn
sohu12333333.com
sohu12333333.com
xz26.com
xz26.com
654v.com
654v.com
280580.cn
280580.cn
fjgqw.com
fjgqw.com
49558.cn
49558.cn
pp8000.cn
pp8000.cn
265it.com
265it.com
soolaa.com
soolaa.com
9899.cn
9899.cn
18143.com
18143.com
haoxyz.com
haoxyz.com
4555.net
4555.net
10du.net
10du.net
528988.com
528988.com
wahahaha123.com
wahahaha123.com
c256.cn
c256.cn
chinaih.com
chinaih.com
mnv.cn
mnv.cn
633dh.com
633dh.com
ncjxx.com
ncjxx.com
51721.net
51721.net
556w.com
556w.com
114cc.net
114cc.net
5go.com.cn
5go.com.cn
pp4000.com
pp4000.com
8844.com
8844.com
dd335.cn
dd335.cn
qu163.net
qu163.net
itwenba.cn
itwenba.cn
dou2game.cn
dou2game.cn
h220.com
h220.com
neng123.com
neng123.com
pleoc.cn
pleoc.cn
6006.cc
6006.cc
987654.com
987654.com
39903.com
39903.com
ddoowwnn.cn
ddoowwnn.cn
788111.com
788111.com
zhidao001.com
zhidao001.com
5hao123.com
5hao123.com
978.la
978.la
135968.cn
135968.cn
bb112.com
bb112.com
r220.cn
r220.cn
365kong.com
365kong.com
woainame.cn
woainame.cn
okgouwu.cn
okgouwu.cn
hao006.com
hao006.com
jipinla.com
jipinla.com
99467.com
99467.com
wawamm.cn
wawamm.cn
qian14.cn
qian14.cn
ip27.cn
ip27.cn
56dh.cn
56dh.cn
2966.com
2966.com
game333.net
game333.net
kukuwz.com
kukuwz.com
1-xiu.cn
1-xiu.cn
92hao123.com
92hao123.com
lian9.cn
lian9.cn
222q.cn
222q.cn
jj98.com
jj98.com
73vv.com
73vv.com
mubanw.com
mubanw.com
t262.com
t262.com
x1258.cn
x1258.cn
weishi66.cn
weishi66.cn
hao990.com
hao990.com
68la.com
68la.com
sowang123.cn
sowang123.cn
3929.cn
3929.cn
5665.cn
5665.cn
81sf.com
81sf.com
kz123.cn
kz123.cn
qq806.cn
qq806.cn
ffwyt.com
ffwyt.com
kpscc.sys
kpscc.sys
\\.\MYFL
\\.\MYFL
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
c:\RECYCLER\winlogon.exe
c:\RECYCLER\winlogon.exe
RavExt.dll
RavExt.dll
bsmain.exe
bsmain.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
2009.lnk
2009.lnk
2010.lnk
2010.lnk
Common Files\Microsoft Shared\explorer.exe
Common Files\Microsoft Shared\explorer.exe
ips888.dll
ips888.dll
autorun.inf
autorun.inf
}.exe
}.exe
My Documents.exe
My Documents.exe
hXXp://VVV.dh008.com/?ie
hXXp://VVV.dh008.com/?ie
winlogon.exe
winlogon.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
Intennet Exploner.lnk
Intennet Exploner.lnk
A.url
A.url
C.url
C.url
&.url
&.url
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\TSTP
C:\TSTP
C:\TSTP\winlogon.exe
C:\TSTP\winlogon.exe
C:\TSTP\
C:\TSTP\
TSPS.lnk
TSPS.lnk
c:\85S22.dat
c:\85S22.dat
svchost.exe
svchost.exe
boot.ini
boot.ini
1681.lnk
1681.lnk
8970.lnk
8970.lnk
c:\MFILES\winlogon.exe
c:\MFILES\winlogon.exe
explorer.exe hXXp://VVV.dh008.com/?TJ-
explorer.exe hXXp://VVV.dh008.com/?TJ-
Shareds.dll
Shareds.dll
q9q.dll
q9q.dll
TaskTray.dll
TaskTray.dll
Q888.dll
Q888.dll
LoginCtrl.dll
LoginCtrl.dll
x0x.dll
x0x.dll
mp.dll
mp.dll
xlooo.dll
xlooo.dll
TaskManager.dll
TaskManager.dll
explorer.exe
explorer.exe
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
taskmgr.exe
taskmgr.exe
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
SetWindowsHookExA
SetWindowsHookExA
IMAGEHLP.DLL
IMAGEHLP.DLL
nthide.dll
nthide.dll
KWindows
KWindows
shell\open\Command=svchost.exe
shell\open\Command=svchost.exe
shell\explore\Command=svchost.exe
shell\explore\Command=svchost.exe
c:\TSTP\winlogon.exe
c:\TSTP\winlogon.exe
AutoRun.inf
AutoRun.inf
mmp.dat
mmp.dat
hXXp://VVV.dh008.com/?Dll
hXXp://VVV.dh008.com/?Dll
WinExec
WinExec
shell32.dll
shell32.dll
Q08.dll
Q08.dll
3#43494>4
3#43494>4
UrlMon
UrlMon
Q09.dll
Q09.dll
xlo.dll
xlo.dll
xln.dll
xln.dll
IEXPLORE.EXE
IEXPLORE.EXE
%Program Files%\Internet Explorer\IEXPLORE.EXE
%Program Files%\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
URL=hXXp://888.qq2233.com/
URL=hXXp://888.qq2233.com/
URL=hXXp://888.qq2233.com/taobao.htm
URL=hXXp://888.qq2233.com/taobao.htm
URL=hXXp://VVV.vol777.com/?Dll
URL=hXXp://VVV.vol777.com/?Dll
;=!`;=)`
;=!`;=)`
;=&` winlogon.exe
;=&` winlogon.exe
;=&`;=&`
;=&`;=&`
.text
.text
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
PID is:%d
PID is:%d
MyPspaddress is: X
MyPspaddress is: X
NTOSKRNL.EXE
NTOSKRNL.EXE
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
.rdata
.rdata
.vol7
.vol7
( X
( X
>..\..\..\..\..\..\Program Files\Internet Explorer\IEXPLORE.EXE"%Program Files%\Internet Explorer
>..\..\..\..\..\..\Program Files\Internet Explorer\IEXPLORE.EXE"%Program Files%\Internet Explorer
hXXp://VVV.sfc007.com/?98`
hXXp://VVV.sfc007.com/?98`
hXXp://VVV.sfc007.com/?98
hXXp://VVV.sfc007.com/?98
..\..\..\TSTP\winlogon.exe
..\..\..\TSTP\winlogon.exe
C:\TSTP`
C:\TSTP`
explorer.exe_3900_rwx_008E0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
explorer.exe_3900_rwx_008F0000_00001000:
|explorer.exeM_3900_
|explorer.exeM_3900_
Explorer.EXE_2032_rwx_00E70000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
Explorer.EXE_2032_rwx_00E80000_00001000:
|explorer.exeM_2032_
|explorer.exeM_2032_
Explorer.EXE_2032_rwx_5CB71000_00001000:
[MSG ]
[MSG ]
[SeiConstructChain] %s!%-20s 0x%p ->
[SeiConstructChain] %s!%-20s 0x%p ->
[SeiConstructChain] %s!#%d 0x%p ->
[SeiConstructChain] %s!#%d 0x%p ->
[SeiGetPatchAddress] Dll "%S" not yet loaded for memory patching.
[SeiGetPatchAddress] Dll "%S" not yet loaded for memory patching.
[SeiApplyPatch] NtProtectVirtualMemory failed 0x%X.
[SeiApplyPatch] NtProtectVirtualMemory failed 0x%X.
[SeiApplyPatch] Unknown patch opcode 0x%X.
[SeiApplyPatch] Unknown patch opcode 0x%X.
[SeiApplyPatch] NtFlushInstructionCache failed w/ status 0x%X.
[SeiApplyPatch] NtFlushInstructionCache failed w/ status 0x%X.
[SeiResolveAPIs] There is no "%s!%s" !
[SeiResolveAPIs] There is no "%s!%s" !
[SeiResolveAPIs] There is no "%s!#%d" !
[SeiResolveAPIs] There is no "%s!#%d" !
[SeiResolveAPIs] Resolved "%s!%s" to 0x%p
[SeiResolveAPIs] Resolved "%s!%s" to 0x%p
[SeiResolveAPIs] Resolved "%s!#%d" to 0x%p
[SeiResolveAPIs] Resolved "%s!#%d" to 0x%p
[SeiResolveAPIs] Failed to convert string "%s" to UNICODE.
[SeiResolveAPIs] Failed to convert string "%s" to UNICODE.
[SeiIsExcluded] Module "%s" mixed inclusion/exclusion for API "%s!%s". Included.
[SeiIsExcluded] Module "%s" mixed inclusion/exclusion for API "%s!%s". Included.
[SeiIsExcluded] Module "%s" mixed inclusion/exclusion for API "%s!#%d". Included.
[SeiIsExcluded] Module "%s" mixed inclusion/exclusion for API "%s!#%d". Included.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is in the exclude list (MODE: ES).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is in the exclude list (MODE: ES).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is in the exclude list (MODE: ES).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is in the exclude list (MODE: ES).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is in System32.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is in System32.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is in System32.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is in System32.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is not in the include list (MODE: EA).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is not in the include list (MODE: EA).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is not in the include list (MODE: EA).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is not in the include list (MODE: EA).
[SeiIsExcluded] Module "%s" excluded for shim %S, API "%s!%s", because it is in the exclude list (MODE: IA).
[SeiIsExcluded] Module "%s" excluded for shim %S, API "%s!%s", because it is in the exclude list (MODE: IA).
[SeiIsExcluded] Module "%s" excluded for shim %S, API "%s!#%d", because it is in the exclude list (MODE: IA).
[SeiIsExcluded] Module "%s" excluded for shim %S, API "%s!#%d", because it is in the exclude list (MODE: IA).
[SeiHookImports] Failed 0x%X to change protection to PAGE_READWRITE. Addr 0x%p
[SeiHookImports] Failed 0x%X to change protection to PAGE_READWRITE. Addr 0x%p
[SeiHookImports] Failed to change back the protection
[SeiHookImports] Failed to change back the protection
[SeiHookImports] Hooking API "%s!%s" for DLL "%s"
[SeiHookImports] Hooking API "%s!%s" for DLL "%s"
[SeiHookImports] Hooking API "%s!#%d" for DLL "%s"
[SeiHookImports] Hooking API "%s!#%d" for DLL "%s"
[SeiHookImports] Hooking module 0x%p "%s"
[SeiHookImports] Hooking module 0x%p "%s"
[SeiHookImports] Cannot convert "%S" to ANSI
[SeiHookImports] Cannot convert "%S" to ANSI
[SeiBuildGlobalInclList] Failed to allocate %d bytes
[SeiBuildGlobalInclList] Failed to allocate %d bytes
[SeiBuildGlobalInclList] 0x%X Cannot convert UNICODE "%S" to ANSI
[SeiBuildGlobalInclList] 0x%X Cannot convert UNICODE "%S" to ANSI
[SeiBuildGlobalInclList] EXE name used in the global exclusion list!
[SeiBuildGlobalInclList] EXE name used in the global exclusion list!
[SeiBuildInclExclListForShim] Failed to allocate %d bytes
[SeiBuildInclExclListForShim] Failed to allocate %d bytes
[SeiBuildInclExclListForShim] 0x%X Cannot convert UNICODE "%S" to ANSI
[SeiBuildInclExclListForShim] 0x%X Cannot convert UNICODE "%S" to ANSI
[SeiBuildInclExclListForShim] EXE name resolved to "%S".
[SeiBuildInclExclListForShim] EXE name resolved to "%S".
[SeiCopyGlobalInclList] (2) Failed to allocate %d bytes
[SeiCopyGlobalInclList] (2) Failed to allocate %d bytes
[SeiCopyGlobalInclList] (1) Failed to allocate %d bytes
[SeiCopyGlobalInclList] (1) Failed to allocate %d bytes
[SeiBuildInclListWithOneModule] Failed to allocate %d bytes
[SeiBuildInclListWithOneModule] Failed to allocate %d bytes
verifier.dll
verifier.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll