Susp_Dropper (Kaspersky), Dropped:Generic.Malware.SBdld!.3A16F05C (B) (Emsisoft), Dropped:Generic.Malware.SBdld!.3A16F05C (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)Behaviour: Backdoor, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 197383db272e4570e1ffe382ec859eff
SHA1: 8c6b615dd9da424e8a55cef19d2291b46930075d
SHA256: 6d9919204ae07b11b30160c859cb7fe8fee241cc44d6c31b08e326df5858ee2f
SSDeep: 768:jwumGFcCo2CG52SdwxOBxib9/3a0eIo5vN4DUYHBFf9qc:EumGFc9GkBxQKHV
Size: 36320 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: FSGv133Eng_v1, FSGv133Eng_v2, FSGv133, UPolyXv05_v6
Company: r-installer
Created at: 1987-09-11 05:35:02
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Dropped creates the following process(es):
install.exe:1376
%original file name%.exe:1852
knzwd.exe:1176
iexplarer.exe:368
taskmgr.exe:508
sihf8.exe:212
mlo5jupht9mejgm.exe:1688
win.exe:948
Regsvr32.exe:1364
debug.exe:1220
The Dropped injects its code into the following process(es):
rundll32.exe:1204
Explorer.EXE:1988
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process install.exe:1376 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yawghd72y7huhd.tmp (4 bytes)
The process %original file name%.exe:1852 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mlo5jupht9mejgm.exe (60 bytes)
%System%\tzwv2w.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sihf8.exe (30 bytes)
C:\p2hhr.bat (46 bytes)
%System%\g7e7n5i.dll (30 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3449327852.exe (0 bytes)
The process knzwd.exe:1176 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\osjfs873wuhd.tmp (16 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3463859102.exe (0 bytes)
The process sihf8.exe:212 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\knzwd.exe (30 bytes)
The process mlo5jupht9mejgm.exe:1688 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%WinDir%\win.exe (60 bytes)
%WinDir%\taskmgr.exe (60 bytes)
%WinDir%\iexplarer.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install.exe (60 bytes)
%WinDir%\debug.exe (60 bytes)
The process rundll32.exe:1204 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sdkik3fsiedfahfyg.tmp (16 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3465890352.exe (0 bytes)
Registry activity
The process install.exe:1376 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 D2 4E 78 17 9F 84 A6 9A 8C 50 66 B4 24 51 90"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden" = "0"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"
The Dropped deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1852 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"winid" = "1D00A31CCB61186"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 42 85 99 B6 C6 3C BE 6D 2C E9 E2 76 00 B9 E1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"p2hhr.bat" = "p2hhr"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Dropped deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process knzwd.exe:1176 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 F7 52 BC 9A 7D 1B 38 06 3B 32 19 7C 42 FC 1B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Dropped deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process iexplarer.exe:368 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 05 4B E1 D1 20 88 45 85 36 A5 78 03 C8 BC 11"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKbuqc" = "%WinDir%\iexplarer.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKbuqc" = "%WinDir%\iexplarer.exe"
The process taskmgr.exe:508 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 45 82 FE 61 90 2D D8 21 BF 58 B2 87 9E A4 AA"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKerb" = "%WinDir%\taskmgr.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKerb" = "%WinDir%\taskmgr.exe"
The process sihf8.exe:212 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 ED 04 86 AD 3D DB 46 81 0B D8 17 7A 8D E8 F0"
The process mlo5jupht9mejgm.exe:1688 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 B3 08 06 20 D5 AF 31 FB E6 D2 CB D2 31 9A F8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"UserId" = "1D00A31CEA85D00"
The process rundll32.exe:1204 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 2A 8F D9 0C 0B 2D 54 64 A8 3B 7C 0E 83 6A 61"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"
The Dropped deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process win.exe:948 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 A7 BB 3A 4C 3B 68 91 07 32 CC C0 E5 75 7F D0"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKfa" = "%WinDir%\win.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKfa" = "%WinDir%\win.exe"
The process Regsvr32.exe:1364 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 DA E1 CB 52 80 C4 03 26 FC D6 40 CB 70 83 6A"
[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B6BA40C1-A501-59BD-F413-03B03A2C8952}" = "dfskea98e4iagjiufhg87df87u"
[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}]
"(Default)" = "%System%\tzwv2w.dll"
[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}\InProcServer32]
"(Default)" = "%System%\tzwv2w.dll"
[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}]
"ThreadingModel" = "Apartment"
The Dropped deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The process debug.exe:1220 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 86 ED 91 B0 B0 9F F9 E5 0F C0 6C 36 82 0A E5"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKaoc" = "%WinDir%\debug.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKaoc" = "%WinDir%\debug.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 7b164d5f12a262de73d6de3514c39297 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\install.exe |
| 4f4b18521cebd7d0b8230808c87d6b73 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\knzwd.exe |
| 2271f5b5ae21d67450a8f9b33148da78 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\mlo5jupht9mejgm.exe |
| 4d5f476ab5728c9c1c33c3e4d855f4a1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sihf8.exe |
| 7b164d5f12a262de73d6de3514c39297 | c:\WINDOWS\debug.exe |
| 7b164d5f12a262de73d6de3514c39297 | c:\WINDOWS\iexplarer.exe |
| 98dd737a06bdaa4773cc7580957df796 | c:\WINDOWS\system32\g7e7n5i.dll |
| 84541ff8b993aa4d57c5af5f6207b664 | c:\WINDOWS\system32\tzwv2w.dll |
| 7b164d5f12a262de73d6de3514c39297 | c:\WINDOWS\taskmgr.exe |
| 7b164d5f12a262de73d6de3514c39297 | c:\WINDOWS\win.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
install.exe:1376
%original file name%.exe:1852
knzwd.exe:1176
iexplarer.exe:368
taskmgr.exe:508
sihf8.exe:212
mlo5jupht9mejgm.exe:1688
win.exe:948
Regsvr32.exe:1364
debug.exe:1220 - Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Documents and Settings%\%current user%\Local Settings\Temp\yawghd72y7huhd.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mlo5jupht9mejgm.exe (60 bytes)
%System%\tzwv2w.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sihf8.exe (30 bytes)
C:\p2hhr.bat (46 bytes)
%System%\g7e7n5i.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\osjfs873wuhd.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\knzwd.exe (30 bytes)
%WinDir%\win.exe (60 bytes)
%WinDir%\taskmgr.exe (60 bytes)
%WinDir%\iexplarer.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install.exe (60 bytes)
%WinDir%\debug.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sdkik3fsiedfahfyg.tmp (16 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKbuqc" = "%WinDir%\iexplarer.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKbuqc" = "%WinDir%\iexplarer.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKerb" = "%WinDir%\taskmgr.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKerb" = "%WinDir%\taskmgr.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKfa" = "%WinDir%\win.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKfa" = "%WinDir%\win.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKaoc" = "%WinDir%\debug.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKaoc" = "%WinDir%\debug.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 192512 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e | |
| 196608 | 36864 | 35808 | 5.39635 | 3c539893f1b208fb89bea5b2a01ada8d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://instunes.com/dw/vp1.php?id=1D00A31CCB61186&ver=v10&v=2010_10_20&er=S_wd_rd_wrd_rrd_we_re_wc_rc_W5.1- | 50.63.75.1 |
| hxxp://instunes.com/dw/dw.php?id=1D00A31CCB61186&ver=v11 | 50.63.75.1 |
| hxxp://instunes.com/dw/dw.php?id=&ver=v11 | 50.63.75.1 |
| hxxp://instunes.com/dw/dw.php?id=1-1D00A31CFE7D81C&ver=v11 | 50.63.75.1 |
| hxxp://nupilo.com/rz/mn.php?ver=H2 | 185.53.177.8 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /dw/dw.php?id=1-1D00A31CFE7D81C&ver=v11 HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:16 GMT
Server: Apache
Content-Length: 397
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /instunes/dw/dw.php was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.<hr>.<address>Apache Server at instunes.com Port 80</address>.</body></html>...
GET /rz/mn.php?ver=H2 HTTP/1.1
User-Agent: Mozilla/4.0 (SPGK)
Host: nupilo.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Nov 2014 16:09:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Buckets:
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_h00Cslewff37o4uaKyyLoQV/44NDl3Qx4Kgp/Pp969SOwago45dofa9mdeKa4IdyWn96S9KFS8oEkbRMeHS oA==
df9..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_h00Cslewff37o4uaKyyLoQV/44NDl3Qx4Kgp/Pp969SOwago45dofa9mdeKa4IdyWn96S9KFS8oEkbRMeHS oA==" xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head>.<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>.<title>nupilo.com</title>.<script src="hXXp://VVV.google.com/adsense/domains/caf.js" type="text/javascript" ></script>.<link href="hXXp://f.movfst.net/themes/saledefault.css" rel="stylesheet" type="text/css" media="screen" />.<link href="hXXp://f.movfst.net/themes/assets/style.css" rel="stylesheet" type="text/css" media="screen" />.<link href="hXXp://f.movfst.net/themes/cleanPeppermintBlack/style.css" rel="stylesheet" type="text/css" media="screen" />.<link href='http://fonts.googleapis.com/css?family=Libre Baskerville:400,700' rel='stylesheet' type='text/css'>.</head>.<body id="afd" style="visibility:hidden">.<script src="hXXp://VVV.parkingcrew.net/scripts/sale_form.js" type="text/javascript"></script>.<div id="sale_banner_orange">.<a class="firstlink" href="hXXp://domainnamesales.com/lcontact?d=nupilo.com" target="_blank" onmousedown="tlink('ing', 'nupilo.com');">.Click here to buy nupilo.com for your web
<<< skipped >>>
GET /dw/vp1.php?id=1D00A31CCB61186&ver=v10&v=2010_10_20&er=S_wd_rd_wrd_rrd_we_re_wc_rc_W5.1- HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:13 GMT
Server: Apache
Content-Length: 398
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /instunes/dw/vp1.php was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.<hr>.<address>Apache Server at instunes.com Port 80</address>.</body></html>...
GET /dw/dw.php?id=&ver=v11 HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:14 GMT
Server: Apache
Content-Length: 397
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /instunes/dw/dw.php was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.<hr>.<address>Apache Server at instunes.com Port 80</address>.</body></html>...
GET /dw/dw.php?id=1D00A31CCB61186&ver=v11 HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:14 GMT
Server: Apache
Content-Length: 397
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /instunes/dw/dw.php was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.<hr>.<address>Apache Server at instunes.com Port 80</address>.</body></html>...
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1204:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
rundll32.exe_1204_rwx_10001000_00017000:
hXXp://instunes.com/dw/dw.php?id=&ver=v11
hXXp://instunes.com/dw/dw.php?id=&ver=v11
3465890352.exe
3465890352.exe
rundll32.exe %System%\g7e7n5i.dll, SystemServer
rundll32.exe %System%\g7e7n5i.dll, SystemServer
em32\g7e7n5i.dll
em32\g7e7n5i.dll
Mozilla/4.0 (SP3 WINLD)
Mozilla/4.0 (SP3 WINLD)
%lu.exe
%lu.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: %s
Host: %s
sdkik3fsiedfahfyg.tmp
sdkik3fsiedfahfyg.tmp
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
rundll32.exe %s, SystemServer
rundll32.exe %s, SystemServer
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
InternetOpenUrlA
InternetOpenUrlA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
.text
.text
`.bss
`.bss
.rdata
.rdata
@.data
@.data
.reloc
.reloc
knzwd.exe_1176:
KERNEL32.dll
KERNEL32.dll
user32.dll
user32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
wininet.dll
wininet.dll
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
InternetOpenUrlA
InternetOpenUrlA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
wsock32.dll
wsock32.dll
Mozilla/4.0 (SP3 WINLD)
Mozilla/4.0 (SP3 WINLD)
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
%lu.exe
%lu.exe
%lu.tmp
%lu.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 _.exe
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 _.exe
osjfs873wuhd.tmp
osjfs873wuhd.tmp
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: %s
Host: %s
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
3463859102.exe
3463859102.exe
\LOCALS~1\Temp\knzwd.exe
\LOCALS~1\Temp\knzwd.exe
hXXp://instunes.com/dw/dw.php?id=1D00A31CCB61186&ver=v11
hXXp://instunes.com/dw/dw.php?id=1D00A31CCB61186&ver=v11
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe
#$%&'()*
#$%&'()*
,-./012
,-./012
3456789:
3456789:
12345678
12345678
.co~m7dw
.co~m7dw
.dlx=y
.dlx=y
debug.exe_1220:
KERNEL32.dll
KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
1Content-Type: application/x-www-form-urlencoded
user32.dll
user32.dll
ExitWindowsEx
ExitWindowsEx
EnumChildWindows
EnumChildWindows
kernel32.dll
kernel32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
HttpSendRequestA
urlmon.dll
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
psapi.dll
psapi.dll
oleacc.dll
oleacc.dll
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
nupilo.com
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
im/pst.php
rz/report.php
rz/report.php
Mozilla/4.0 (SPGK)
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
yawghd72y7huhd.tmp
%lu.exe
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
F%D,3
%&'()* ,&-.
%&'()* ,&-.
789:;
789:;
.dlx
.dlx
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
FURL
validclick.net
validclick.net
7search.com
7search.com
LURL
LURL
CURL
CURL
img.php?
img.php?
&url=
&url=
%lX.ttp
%lX.ttp
%lX.png
%lX.png
iexplorer.exe
iexplorer.exe
captcha.php
captcha.php
ppiicc63jfnb.gif
ppiicc63jfnb.gif
pic/pst.php
pic/pst.php
pic/pst3.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\debug.exe
%WinDir%\debug.exe
?!%Xw%
?!%Xw%
%F?G[R
%F?G[R
%&'()* ,
%&'()* ,
-./01234
-./01234
56789:;
56789:;
456789 /
456789 /
SRE@XW=.
SRE@XW=.
L32.dl
L32.dl
.dlx=I
.dlx=I
install.exe_1376:
KERNEL32.dll
KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
1Content-Type: application/x-www-form-urlencoded
user32.dll
user32.dll
ExitWindowsEx
ExitWindowsEx
EnumChildWindows
EnumChildWindows
kernel32.dll
kernel32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
HttpSendRequestA
urlmon.dll
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
psapi.dll
psapi.dll
oleacc.dll
oleacc.dll
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
nupilo.com
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
im/pst.php
rz/report.php
rz/report.php
Mozilla/4.0 (SPGK)
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
yawghd72y7huhd.tmp
%lu.exe
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
F%D,3
%&'()* ,&-.
%&'()* ,&-.
789:;
789:;
.dlx
.dlx
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
FURL
validclick.net
validclick.net
7search.com
7search.com
LURL
LURL
CURL
CURL
img.php?
img.php?
&url=
&url=
%lX.ttp
%lX.ttp
%lX.png
%lX.png
iexplorer.exe
iexplorer.exe
captcha.php
captcha.php
ppiicc63jfnb.gif
ppiicc63jfnb.gif
pic/pst.php
pic/pst.php
pic/pst3.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe
?!%Xw%
?!%Xw%
%F?G[R
%F?G[R
%&'()* ,
%&'()* ,
-./01234
-./01234
56789:;
56789:;
456789 /
456789 /
SRE@XW=.
SRE@XW=.
L32.dl
L32.dl
.dlx=I
.dlx=I
taskmgr.exe_508:
KERNEL32.dll
KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
1Content-Type: application/x-www-form-urlencoded
user32.dll
user32.dll
ExitWindowsEx
ExitWindowsEx
EnumChildWindows
EnumChildWindows
kernel32.dll
kernel32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
HttpSendRequestA
urlmon.dll
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
psapi.dll
psapi.dll
oleacc.dll
oleacc.dll
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
nupilo.com
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
im/pst.php
rz/report.php
rz/report.php
Mozilla/4.0 (SPGK)
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
yawghd72y7huhd.tmp
%lu.exe
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
F%D,3
%&'()* ,&-.
%&'()* ,&-.
789:;
789:;
.dlx
.dlx
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
FURL
validclick.net
validclick.net
7search.com
7search.com
LURL
LURL
CURL
CURL
img.php?
img.php?
&url=
&url=
%lX.ttp
%lX.ttp
%lX.png
%lX.png
iexplorer.exe
iexplorer.exe
captcha.php
captcha.php
ppiicc63jfnb.gif
ppiicc63jfnb.gif
pic/pst.php
pic/pst.php
pic/pst3.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\taskmgr.exe
%WinDir%\taskmgr.exe
?!%Xw%
?!%Xw%
%F?G[R
%F?G[R
%&'()* ,
%&'()* ,
-./01234
-./01234
56789:;
56789:;
456789 /
456789 /
SRE@XW=.
SRE@XW=.
L32.dl
L32.dl
.dlx=I
.dlx=I
win.exe_948:
KERNEL32.dll
KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
1Content-Type: application/x-www-form-urlencoded
user32.dll
user32.dll
ExitWindowsEx
ExitWindowsEx
EnumChildWindows
EnumChildWindows
kernel32.dll
kernel32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
HttpSendRequestA
urlmon.dll
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
psapi.dll
psapi.dll
oleacc.dll
oleacc.dll
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
nupilo.com
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
im/pst.php
rz/report.php
rz/report.php
Mozilla/4.0 (SPGK)
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
yawghd72y7huhd.tmp
%lu.exe
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
F%D,3
%&'()* ,&-.
%&'()* ,&-.
789:;
789:;
.dlx
.dlx
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
FURL
validclick.net
validclick.net
7search.com
7search.com
LURL
LURL
CURL
CURL
img.php?
img.php?
&url=
&url=
%lX.ttp
%lX.ttp
%lX.png
%lX.png
iexplorer.exe
iexplorer.exe
captcha.php
captcha.php
ppiicc63jfnb.gif
ppiicc63jfnb.gif
pic/pst.php
pic/pst.php
pic/pst3.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\win.exe
%WinDir%\win.exe
?!%Xw%
?!%Xw%
%F?G[R
%F?G[R
%&'()* ,
%&'()* ,
-./01234
-./01234
56789:;
56789:;
456789 /
456789 /
SRE@XW=.
SRE@XW=.
L32.dl
L32.dl
.dlx=I
.dlx=I
iexplarer.exe_368:
KERNEL32.dll
KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
1Content-Type: application/x-www-form-urlencoded
user32.dll
user32.dll
ExitWindowsEx
ExitWindowsEx
EnumChildWindows
EnumChildWindows
kernel32.dll
kernel32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
advapi32.dll
advapi32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
HttpSendRequestA
urlmon.dll
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
psapi.dll
psapi.dll
oleacc.dll
oleacc.dll
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
nupilo.com
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
im/pst.php
rz/report.php
rz/report.php
Mozilla/4.0 (SPGK)
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
yawghd72y7huhd.tmp
%lu.exe
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
F%D,3
%&'()* ,&-.
%&'()* ,&-.
789:;
789:;
.dlx
.dlx
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
FURL
validclick.net
validclick.net
7search.com
7search.com
LURL
LURL
CURL
CURL
img.php?
img.php?
&url=
&url=
%lX.ttp
%lX.ttp
%lX.png
%lX.png
iexplorer.exe
iexplorer.exe
captcha.php
captcha.php
ppiicc63jfnb.gif
ppiicc63jfnb.gif
pic/pst.php
pic/pst.php
pic/pst3.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\iexplarer.exe
%WinDir%\iexplarer.exe
?!%Xw%
?!%Xw%
%F?G[R
%F?G[R
%&'()* ,
%&'()* ,
-./01234
-./01234
56789:;
56789:;
456789 /
456789 /
SRE@XW=.
SRE@XW=.
L32.dl
L32.dl
.dlx=I
.dlx=I
Explorer.EXE_1988_rwx_01EA1000_00019000:
hXXp://instunes.com/dw/dw.php?id=1-1D00A31CFE7D81C&ver=v11
hXXp://instunes.com/dw/dw.php?id=1-1D00A31CFE7D81C&ver=v11
3498390352.exe
3498390352.exe
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
Mozilla/4.0 (SP3 WINLD)
Mozilla/4.0 (SP3 WINLD)
{B6BA40C1-A501-59BD-F413-03B03A2C8952}
{B6BA40C1-A501-59BD-F413-03B03A2C8952}
%lu.exe
%lu.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
CLSID\%s
CLSID\%s
SOFTWARE\Classes\CLSID\%s\InProcServer32
SOFTWARE\Classes\CLSID\%s\InProcServer32
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: %s
Host: %s
hse87ejdjfhiw3dfdfd.tmp
hse87ejdjfhiw3dfdfd.tmp
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
opera
opera
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
InternetOpenUrlA
InternetOpenUrlA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
.text
.text
`.bss
`.bss
.rdata
.rdata
@.data
@.data
.reloc
.reloc
lv.aj
lv.aj
!"#$%&'()* ,-./0123456789:;
!"#$%&'()* ,-./0123456789:;
Mozilla/4.0 (SP3 W
Mozilla/4.0 (SP3 W
-A501-59BD-F413-03B03A2C8952}
-A501-59BD-F413-03B03A2C8952}
\%sSOFTWA
\%sSOFTWA
GET %s HTTP/1;
GET %s HTTP/1;
pmhXXp://4>un
pmhXXp://4>un
7).com/dw
7).com/dw
.php?
.php?
gEKey
gEKey
`.bssg
`.bssg
.rd2i
.rd2i