HEUR:Hoax.Win32.ArchSMS.gen (Kaspersky), Gen:Variant.Kazy.8502 (B) (Emsisoft), Gen:Variant.Kazy.8502 (AdAware), Trojan.Win32.EyeStye.FD, SpyEye.YR, TrojanEyeStye.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3b926de6bf3642dafdfbdcd57daae790
SHA1: 61553eda93e81936aa600ac0bcd0fd797ad00eec
SHA256: 298e36fe4b5a389600c00ba46ef53e0bb5b0cd7fc3fbf00b88df9828f9a2d0b2
SSDeep: 6144:/KkO9Qfu4PYLixPosddGBj8pdKgEVvvys1 mPbhiPFHdqqcE4ggIkuhali:/KRDggaoy5pdYpvpziPFHcNq3
Size: 314880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Premium Installer
Created at: 2011-05-03 04:14:32
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
B6232F3A951.exe:1760
The Trojan injects its code into the following process(es):
mscorsvw.exe:424
cmd.exe:244
svchost.exe:340
jqs.exe:480
winlogon.exe:716
lsass.exe:772
svchost.exe:928
svchost.exe:1012
svchost.exe:1096
svchost.exe:1144
svchost.exe:1188
spoolsv.exe:1432
Explorer.EXE:1948
wmiprvse.exe:3704
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process B6232F3A951.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Recycle.Bin\450EA779C22EAD4 (8 bytes)
Registry activity
The process B6232F3A951.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 C1 82 5D 44 F8 56 07 C0 AE 64 C7 AC 40 1C BB"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
InternetWriteFile
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
InternetQueryOptionA
The Trojan installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
The Trojan installs the following user-mode hooks in ntdll.dll:
ZwVdmControl
ZwSetInformationFile
NtResumeThread
ZwQueryDirectoryFile
ZwEnumerateValueKey
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
B6232F3A951.exe:1760
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Recycle.Bin\450EA779C22EAD4 (8 bytes)
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Don HO don.h@free.fr
Product Name: Notepad
Product Version: 5.7
Legal Copyright: Copyleft 1998-2006 by Don HO
Legal Trademarks:
Original Filename: Notepad .exe
Internal Name: npp.exe
File Version: 5.7
File Description: Notepad : a free (GNU) source code editor
Comments:
Language: Language Neutral
Company Name: Don HO don.h@free.frProduct Name: Notepad Product Version: 5.7Legal Copyright: Copyleft 1998-2006 by Don HOLegal Trademarks: Original Filename: Notepad .exeInternal Name: npp.exeFile Version: 5.7File Description: Notepad : a free (GNU) source code editorComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 180224 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 184320 | 311296 | 310784 | 5.51958 | 43ba23d7ecb65c5e65ec6c27f3765e12 |
.rsrc | 495616 | 4096 | 3072 | 2.09766 | 5994d4f01e938e09928768f4b86091ff |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
cmd.exe_244_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_340_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
mscorsvw.exe_424_rwx_008D0000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
mscorsvw.exe_424_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
mscorsvw.exe_424_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
mscorsvw.exe_424_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
mscorsvw.exe_424_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
mscorsvw.exe_424_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
mscorsvw.exe_424_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
mscorsvw.exe_424_rwx_3D9A6000_00001000:
SSSSh
SSSSh
jqs.exe_480_rwx_010C0000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
jqs.exe_480_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
jqs.exe_480_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
jqs.exe_480_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
jqs.exe_480_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
jqs.exe_480_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
jqs.exe_480_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
jqs.exe_480_rwx_3D9A6000_00001000:
SSSSh
SSSSh
winlogon.exe_716_rwx_012D0000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
winlogon.exe_716_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
winlogon.exe_716_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
winlogon.exe_716_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
winlogon.exe_716_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
winlogon.exe_716_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
winlogon.exe_716_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
winlogon.exe_716_rwx_3D9A6000_00001000:
SSSSh
SSSSh
lsass.exe_772_rwx_00BF0000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
lsass.exe_772_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
lsass.exe_772_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
lsass.exe_772_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
lsass.exe_772_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
lsass.exe_772_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
lsass.exe_772_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
lsass.exe_772_rwx_3D9A6000_00001000:
SSSSh
SSSSh
svchost.exe_928_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_1012_rwx_00B40000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
svchost.exe_1012_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_1012_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
svchost.exe_1012_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
svchost.exe_1012_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
svchost.exe_1012_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
svchost.exe_1012_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
svchost.exe_1012_rwx_3D9A6000_00001000:
SSSSh
SSSSh
svchost.exe_1096_rwx_02980000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
svchost.exe_1096_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
c:\windows\system32\CRYPT32.dll
c:\windows\system32\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_1096_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
svchost.exe_1096_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
svchost.exe_1096_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
svchost.exe_1096_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
svchost.exe_1096_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
svchost.exe_1096_rwx_3D9A6000_00001000:
SSSSh
SSSSh
svchost.exe_1144_rwx_00820000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
svchost.exe_1144_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_1144_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
svchost.exe_1144_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
svchost.exe_1144_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
svchost.exe_1144_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
svchost.exe_1144_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
svchost.exe_1144_rwx_3D9A6000_00001000:
SSSSh
SSSSh
svchost.exe_1188_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
spoolsv.exe_1432_rwx_00D00000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
spoolsv.exe_1432_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
spoolsv.exe_1432_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
spoolsv.exe_1432_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
spoolsv.exe_1432_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
spoolsv.exe_1432_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
spoolsv.exe_1432_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
spoolsv.exe_1432_rwx_3D9A6000_00001000:
SSSSh
SSSSh
Explorer.EXE_1948_rwx_01100000_00002000:
!EYEc:\%original file name%.exe
!EYEc:\%original file name%.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
xqCSLEoSiMC.exe
xqCSLEoSiMC.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
Explorer.EXE_1948_rwx_01340000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
Explorer.EXE_1948_rwx_01730000_00006000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
PSSSSSSh
PSSSSSSh
Advapi32.dll
Advapi32.dll
guid=%s&ver=%u&ie=%s&os=%u.%u.%u&ut=%s&ccrc=X&md5=%s&plg=%s&plgstat=%s&wake=%u
guid=%s&ver=%u&ie=%s&os=%u.%u.%u&ut=%s&ccrc=X&md5=%s&plg=%s&plgstat=%s&wake=%u
%s&stat=online
%s&stat=online
hXXp://VVV.microsoft.com
hXXp://VVV.microsoft.com
%s&%s
%s&%s
ntdll.dll
ntdll.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
customconnector.dll
customconnector.dll
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeStartExe
TakeStartExe
TakeUpdateBotExe
TakeUpdateBotExe
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
hXXp://troleybusikoff.ru/forum.php
hXXp://troleybusikoff.ru/forum.php
Explorer.EXE_1948_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
Explorer.EXE_1948_rwx_0BB60000_0005A000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
Explorer.EXE_1948_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
Explorer.EXE_1948_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Explorer.EXE_1948_rwx_3D9A6000_00001000:
SSSSh
SSSSh
wmiprvse.exe_3704_rwx_00F50000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
Plugin_CreditGrab.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
.google.
.google.
.ebuddy.
.ebuddy.
.facebook.
.facebook.
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
wmiprvse.exe_3704_rwx_0BAD0000_0004E000:
.text
.text
.reloc
.reloc
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
systray.pdb
systray.pdb
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
Global\%s
Global\%s
\\.\pipe\globgatepipe
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
X X
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
set_url
set_url
Host: %s
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
rapport
rapport
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
r = %s
%s%s&rep=%s
%s%s&rep=%s
tid=%u&stat=
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
[ERROR] : dwErr == %u
%d-%d-%d
%d-%d-%d
Global\X
Global\X
%s%s%s
%s%s%s
opera
opera
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
chrome
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
1.2.4
1.2.4
w SSh
w SSh
t.VPW
t.VPW
FVSSh
FVSSh
.exeW
.exeW
FTPQ
FTPQ
%System%\WININET.dll
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
C:\Recycle.Bin\
B6232F3A951.exe
B6232F3A951.exe
Iw7k5M2US.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
5.1.2600!XP2!D8CC41DB
config.bin
config.bin
Recycle.Bin
Recycle.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
MSIMG32.dll
MSIMG32.dll
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
3$3*303\3
3$3*303\3
6%6U6t6
6%6U6t6
>)?0?9?[?|?
>)?0?9?[?|?
6)6:6?6\6
6)6:6?6\6
>'>.>5>{>
>'>.>5>{>
4-444C4T4Y4p4y4}4
4-444C4T4Y4p4y4}4
Systray .exe stub
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
systray.exe
Windows
Windows
Operating System
Operating System
5.2.3790.1830
5.2.3790.1830
\prefs.js
\prefs.js
(GMT %su:u) %s
(GMT %su:u) %s
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
wmiprvse.exe_3704_rwx_3D940000_00001000:
sensapi.dll
sensapi.dll
wmiprvse.exe_3704_rwx_3D94B000_00003000:
HTTP/%d.%d
HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
FEATURE_INCLUDE_PORT_IN_SPN_KB908209
wmiprvse.exe_3704_rwx_3D94F000_00001000:
QSSSSh
QSSSSh
wmiprvse.exe_3704_rwx_3D95E000_00001000:
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)
wmiprvse.exe_3704_rwx_3D963000_00001000:
\"/:|?*
\"/:|?*
wmiprvse.exe_3704_rwx_3D9A6000_00001000:
SSSSh
SSSSh