Skip to main content

FakeAV_5deeff0512


Fake-AV.Win32.FakeAV.iije (Kaspersky), Trojan.Generic.KD.369558 (B) (Emsisoft), Trojan.Generic.KD.369558 (AdAware)Behaviour: Fake-AV

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5deeff05129a1d4aaf5bac9091d9058f

SHA1: 07f42d03bf6786a9720afca3c21f7c2b28cb429d

SHA256: 77cc991cadb6bd6db66df45324f62786ad74e819928228d5a1369b4661583ee3

SSDeep: 49152:BJqwJxr 7bFSMEFvEVuAuB2xG5d54d8sB YHGST6GzY:BJq9DEFvEMFB2ASgg6G

Size: 2390016 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Fusion Install

Created at: 2005-11-12 20:39:01

Analyzed on: WindowsXP SP3 32-bit

Summary: FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Fake-AV creates the following process(es):

wuauclt.exe:540
%original file name%.exe:1656

The Fake-AV injects its code into the following process(es):

exA1uvD2oFpHsJd.exe:1864

File activity

The process exA1uvD2oFpHsJd.exe:1864 makes changes in the file system.


The Fake-AV creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2bOpen Cloud AV.ico (676 bytes)
%Documents and Settings%\%current user%\Desktop\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Open Cloud AV\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\ldr.ini (1644 bytes)

The Fake-AV deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process wuauclt.exe:540 makes changes in the file system.


The Fake-AV creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Fake-AV deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:1656 makes changes in the file system.


The Fake-AV creates and/or writes to the following file(s):

%System%\config\software (838 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
%System%\exA1uvD2oFpHsJd.exe (10752 bytes)

Registry activity

The process exA1uvD2oFpHsJd.exe:1864 makes changes in the system registry.


The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 20 B8 1F 8C 17 F1 92 5A DC EA 65 FC 70 D3 B8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process %original file name%.exe:1656 makes changes in the system registry.


The Fake-AV creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F D9 7C 48 14 CE 3C B2 25 70 8C 29 46 45 33 CC"

To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xRZqhYCwkVlNx0c8234A" = "%System%\exA1uvD2oFpHsJd.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wuauclt.exe:540
    %original file name%.exe:1656

  2. Delete the original Fake-AV file.
  3. Delete or disinfect the following files created/modified by the Fake-AV:

    %Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2bOpen Cloud AV.ico (676 bytes)
    %Documents and Settings%\%current user%\Desktop\Open Cloud AV.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Open Cloud AV\Open Cloud AV.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\ldr.ini (1644 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %System%\config\software (838 bytes)
    %System%\config\SOFTWARE.LOG (1987 bytes)
    %System%\exA1uvD2oFpHsJd.exe (10752 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "xRZqhYCwkVlNx0c8234A" = "%System%\exA1uvD2oFpHsJd.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096111730011176964.9112975caa66075b6477bd57a834bec9524b8
.rdata1122304126815363.514039e6b659a192e853f991203dd64a0937b
.data1126400126828012687365.54506ed1563f9848845eb710b9a918ac318de
.reloc2396160672153610241.3468511b3cd8b4cbfbb39a2e04bba2e5b8bdb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://google.com/173.194.32.166
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl23.37.37.163
hxxp://crl.verisign.com/pca3-g2.crl23.37.37.163
hxxp://crl.verisign.com/pca3.crl23.37.37.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl23.37.37.163
www.download.windowsupdate.com212.30.134.177

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CSC3-2009.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "ca78ff71d328047ab1f6f2dd982e54d9:1399928710"

Last-Modified: Mon, 12 May 2014 21:05:10 GMT

Accept-Ranges: bytes

Content-Length: 2249

Date: Tue, 13 May 2014 03:30:38 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140512210003Z..140526210003Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09

<<

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "072641a27cd10308fabc881f069f37c1:1396126208"

Last-Modified: Sat, 29 Mar 2014 20:50:08 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Tue, 13 May 2014 03:30:37 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140320000000Z..140630235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H................V.!F.Y..p.V......s..%..*l.z=...R./.F....q.......D.t......0b..?.R:9.(.|.....VBp8.......PZ...[o\p...U...........$).V.D....B@......

<<

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"

Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT

Accept-Ranges: bytes

Content-Length: 933

Date: Tue, 13 May 2014 03:30:40 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............_.w..J.l....[..H.X..)x.^.....S.O..v....K|.~.RP.k^.R.0........oF.l.w..4.W...A...}..8*.:rO6........%.C...........6$s....rQ....v...HTTP/1.1 200 OK..Server: Apache..ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"..Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Tue, 13 May 2014 03:30:40 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P.

<<

<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-2-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "7ec0494a7288a550c3f3de408e9ca884:1399928710"

Last-Modified: Mon, 12 May 2014 21:05:10 GMT

Accept-Ranges: bytes

Content-Length: 37283

Date: Tue, 13 May 2014 03:30:40 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140512210002Z..140526210002Z0..h0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....

<<

<<< skipped >>>

GET / HTTP/1.1

Host: google.com

User-Agent: mozilla/2.0

Connection: close

HTTP/1.1 302 Found

Location: hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU_3yJeaayQOXlIHIBQ

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=f6c23712edbd5a1d:FF=0:TM=1399951821:LM=1399951821:S=OQTHMyaPiQuxlsvb; expires=Thu, 12-May-2016 03:30:21 GMT; path=/; domain=.google.com

Set-Cookie: NID=67=Od5HoomjUViLtJRDNoQ3IG5m19_yQ2aIjFi5_CD9aRX_dttRQf_PQKL4wdX9Uyu_pFbnSjtTFLUCNtEsVCXFLnsFJRpzFoD0YzTwUxrYqNdRkx4VAl6g04rzoI8lm8Ed; expires=Wed, 12-Nov-2014 03:30:21 GMT; path=/; domain=.google.com; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Date: Tue, 13 May 2014 03:30:21 GMT

Server: gws

Content-Length: 262

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic

Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU_3yJeaayQOXlIHIBQ">here</A>...</BODY></HTML>....

GET / HTTP/1.1

Host: google.com

User-Agent: mozilla/2.0

Connection: close

HTTP/1.1 302 Found

Location: hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU5TFJqH_ywOpo4H4BQ

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=c924d52e60b41975:FF=0:TM=1399951821:LM=1399951821:S=ZCyxXXYk2D8IprA9; expires=Thu, 12-May-2016 03:30:21 GMT; path=/; domain=.google.com

Set-Cookie: NID=67=daOBenXY2r7DlDFxIJFnXvQQXKLndHtlO-HLMsio9PU-a7ciJk32PKVB_ep7IKIcf99n0uwyEBmm-xtHd_yGszlNkY5UhBcZyJeHTedPWSRRCZp0TZMAEh8a-hLMsCQh; expires=Wed, 12-Nov-2014 03:30:21 GMT; path=/; domain=.google.com; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Date: Tue, 13 May 2014 03:30:21 GMT

Server: gws

Content-Length: 262

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic

Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU5TFJqH_ywOpo4H4BQ">here</A>...</BODY></HTML>....

Map

The Fake-AV connects to the servers at the folowing location(s):

Strings from Dumps

exA1uvD2oFpHsJd.exe_1864:

`.rsrc

`.rsrc

.Wj8hl83

.Wj8hl83

V SSh

V SSh

N SSh

N SSh

P SSh

P SSh

QSSh lW

QSSh lW

tFHt:Ht.Ht"Hu`

tFHt:Ht.Ht"Hu`

j%XtL9E

j%XtL9E

tWSShW

tWSShW

tl9_ tgSSh

tl9_ tgSSh

SSSSh0

SSSSh0

t'SShl

t'SShl

u$SShe

u$SShe

@ SSHPWj

@ SSHPWj

FTCP

FTCP

u.Ph$

u.Ph$

tAHt.HHt

tAHt.HHt

<SShG><pre>FtPW</pre><pre>SSh@B</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>1.2.5</pre><pre>%s.zl</pre><pre>avgnt.exe</pre><pre>avgwdsvc.exe</pre><pre>AVGIDSAgent.exe</pre><pre>ccsvchst.exe</pre><pre>AvastUI.exe</pre><pre>mcagent.exe</pre><pre>ldr.ini</pre><pre>chrome.exe</pre><pre>iexplore.exe</pre><pre>http://google.com</pre><pre>http://%s</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>win32msmsgs.exe</pre><pre>win32itunes.exe</pre><pre>win32java.exe</pre><pre>win32wmplayer.exe</pre><pre>win32photoshop.exe</pre><pre>win32outlook.exe</pre><pre>win32excel.exe</pre><pre>win32winword.exe</pre><pre>win32safari.exe</pre><pre>win32firefox.exe</pre><pre>win32opera.exe</pre><pre>win32iexplore.exe</pre><pre>java.exe</pre><pre>drweb</pre><pre>http://%s/r.php?ver=14&id=%s&hwid=%s&p=%d&os=%s</pre><pre>9992665263</pre><pre>%s (%s:%d)</pre><pre>c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>%s %s%s</pre><pre>windows\</pre><pre>chargeyourorder.com</pre><pre>ordersonlinenow.com</pre><pre>mediaforclouds.com</pre><pre>ourbigvideostore.com</pre><pre>%d_%d_%d</pre><pre>%d_%d</pre><pre>%s\%s</pre><pre>sysl32.dll</pre><pre>TH_%d</pre><pre>http://photodatastore.com/sp.php?adv=%s&who=S</pre><pre>: Support</pre><pre>&key=</pre><pre>License key validated.</pre><pre>http://%s/ex2.php</pre><pre>%s "%s" %s</pre><pre>o@cmd.exe /c "%s"</pre><pre>del "%s"</pre><pre>if exist "%s" goto a</pre><pre>\oc%d_w32.bat</pre><pre>http://</pre><pre>HTTP/1.1 200 OK</pre><pre>HTTP/1.0 200 OK</pre><pre>POST %s HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</pre><pre>Content-Length: %u</pre><pre>GET %s HTTP/1.1</pre><pre>User-Agent: mozilla/2.0</pre><pre>spooler.exe</pre><pre>server.exe</pre><pre>winlogon.exe</pre><pre>un_inst.exe</pre><pre>IEUser.exe</pre><pre>SearchProtocolHost.exe</pre><pre>DllHost.exe</pre><pre>csrss.exe</pre><pre>Windows has detected malicious programs running on your computer.</pre><pre>Click here to activate your Windows antivirus software</pre><pre>http://%s/sig/?id=%s&system=%s&hwid=%s&n=%s</pre><pre>%s|%s|%d</pre><pre>%d.%d.%d</pre><pre>9972665267</pre><pre>9972439689</pre><pre>9882676258</pre><pre>9859198478</pre><pre>9691962564</pre><pre>9378969331</pre><pre>9376471437</pre><pre>9285678582</pre><pre>9221581871</pre><pre>9217457527</pre><pre>9217234169</pre><pre>8874598414</pre><pre>8861321723</pre><pre>8857988267</pre><pre>8838996945</pre><pre>8593214778</pre><pre>8567493449</pre><pre>8558121691</pre><pre>8525752718</pre><pre>8367636975</pre><pre>8356392329</pre><pre>8355289195</pre><pre>8355259195</pre><pre>8196375436</pre><pre>8196345414</pre><pre>8135259195</pre><pre>8132856849</pre><pre>7885832169</pre><pre>7852676282</pre><pre>7715438456</pre><pre>7659421734</pre><pre>7614643697</pre><pre>7592174565</pre><pre>7414541691</pre><pre>7246526785</pre><pre>6899692327</pre><pre>6874821958</pre><pre>6641354156</pre><pre>6637321723</pre><pre>6613528235</pre><pre>6593439566</pre><pre>6526765122</pre><pre>6378962334</pre><pre>6376736918</pre><pre>6315563723</pre><pre>5956636198</pre><pre>5932169186</pre><pre>5919825316</pre><pre>5898714538</pre><pre>5688289871</pre><pre>5379885698</pre><pre>5268174898</pre><pre>5267873675</pre><pre>4723274453</pre><pre>4687259849</pre><pre>4655834325</pre><pre>4439154958</pre><pre>4414895278</pre><pre>4281328365</pre><pre>4268761565</pre><pre>4261996943</pre><pre>4261328365</pre><pre>4235528916</pre><pre>4179195823</pre><pre>4159763697</pre><pre>4146739331</pre><pre>3961218556</pre><pre>3945638233</pre><pre>3924394865</pre><pre>3899836863</pre><pre>3798826765</pre><pre>3787693326</pre><pre>3787625649</pre><pre>3766368952</pre><pre>3619747186</pre><pre>3554156516</pre><pre>3541567625</pre><pre>2961332892</pre><pre>2838763789</pre><pre>2833525916</pre><pre>2819969298</pre><pre>2698736776</pre><pre>2676258959</pre><pre>2621948916</pre><pre>2619969432</pre><pre>2356258973</pre><pre>2343258649</pre><pre>2294654156</pre><pre>2285876582</pre><pre>1961232582</pre><pre>1837663686</pre><pre>1835437232</pre><pre>1789847197</pre><pre>1579859198</pre><pre>1354156739</pre><pre>1225242171</pre><pre>1196121858</pre><pre>1186796371</pre><pre>1171249582</pre><pre>1148762586</pre><pre>svg.ini</pre><pre>software\Microsoft\Windows\CurrentVersion</pre><pre>{5A92A751-F926-4BB9-872E-BEC4A4CD571F}</pre><pre>%u.%u.%u.%u</pre><pre>CluAdmin.exe</pre><pre>setup.exe</pre><pre>wab.exe</pre><pre>paint.exe</pre><pre>pools.exe</pre><pre>user32.exe</pre><pre>explorer.exe</pre><pre>notepad.exe</pre><pre>wmplayer.exe</pre><pre>msimn.exe</pre><pre>iexplorer.exe</pre><pre>calc.exe</pre><pre>%s\%s.exe</pre><pre>%s%s.ico</pre><pre>comctl32.dll</pre><pre>5_%d_%d_%d</pre><pre>4_%d_%d_%d</pre><pre>CSupportDlg</pre><pre>http://jn%s.%s/forum.cgi</pre><pre>email=%s&message=%s</pre><pre>HKEY\LM</pre><pre>HKEY\CU</pre><pre>%s\%s.ico</pre><pre>DEL_%d</pre><pre>Defs39491.db</pre><pre>XXXXXXXXXX</pre><pre>[%d] %s</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\NetworkCards</pre><pre>user32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>Afx:%p:%x:%p:%p:%p</pre><pre>Afx:%p:%x</pre><pre>commctrl_DragListMsg</pre><pre>CCmdTarget</pre><pre>CNotSupportedException</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>KERNEL32.DLL</pre><pre>%s%s.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>lX-X-x-XX-XXXXXX</pre><pre>RegOpenKeyTransactedA</pre><pre>Advapi32.dll</pre><pre>RegCreateKeyTransactedA</pre><pre>RegDeleteKeyTransactedA</pre><pre>comdlg32.dll</pre><pre>shell32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp</pre><pre>mfcm100.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>RegDeleteKeyExA</pre><pre>lXXxXXXXXXXX</pre><pre>Shell32.dll</pre><pre>%s:%x:%x:%x:%x</pre><pre>kernel32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>%sMFCToolBar-%d%x</pre><pre>%sMFCToolBar-%d</pre><pre>%sMFCToolBarParameters</pre><pre>TOOLBAR_RESETKEYBAORD</pre><pre>&%d %s</pre><pre>MFCLink_UrlPrefix</pre><pre>MFCLink_Url</pre><pre>ole32.dll</pre><pre>CMDITabProxyWnd</pre><pre>CMDIChildWndEx</pre><pre>CMDIFrameWndEx</pre><pre>KeyboardManager</pre><pre>MSG_CHECKEMPTYMINIFRAME</pre><pre>%sDockingManager-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp</pre><pre>%sPane-%d%x</pre><pre>%sPane-%d</pre><pre>%sBasePane-%d%x</pre><pre>%sBasePane-%d</pre><pre>windows</pre><pre>ShowCmd</pre><pre>%c%d%c%s</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp</pre><pre>Hex={X,X,X}</pre><pre>CMDIChildWnd</pre><pre>CMDIFrameWnd</pre><pre>CMDIClientAreaWnd</pre><pre>%sMDIClientArea-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp</pre><pre>%sMFCOutlookBar-%d%x</pre><pre>%sMFCOutlookBar-%d</pre><pre>%sDockablePaneAdapter-%d%x</pre><pre>%sDockablePaneAdapter-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp</pre><pre>CMFCToolBarsKeyboardPropertyPage</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp</pre><pre>RGB(%d, %d, %d)</pre><pre>ENABLE_KEYS</pre><pre>KEYS_MENU</pre><pre>KEYS</pre><pre>%sMFCTasksPane-%d%x</pre><pre>%sMFCTasksPane-%d</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>F%D,3</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCException@@</pre><pre>.?AVCSupportDlg@@</pre><pre>.?AVCWEbEvents_Bill@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.?AVCCmdUI@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCOleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCArchiveException@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@</pre><pre>.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.PAVCFileException@@</pre><pre>.?AVCMFCToolBarCmdUI@@</pre><pre>.?AVCMDITabProxyWnd@@</pre><pre>.?AVCMDIChildWndEx@@</pre><pre>.?AVCMDIChildWnd@@</pre><pre>.?AVCMDIFrameWndEx@@</pre><pre>.?AVCMDIFrameWnd@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.?AVCMFCCmdUsageCount@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@</pre><pre>.?AVCMFCAcceleratorKey@@</pre><pre>.?AVCMFCColorBarCmdUI@@</pre><pre>.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@</pre><pre>.?AVCMDIClientAreaWnd@@</pre><pre>.?AVCMFCRibbonCmdUI@@</pre><pre>.?AVCMFCToolBarsKeyboardPropertyPage@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@</pre><pre>.?AVCMFCRibbonKeyTip@@</pre><pre>.?AVCMFCTasksPaneToolBarCmdUI@@</pre><pre>.?AVCMFCAcceleratorKeyAssignCtrl@@</pre><pre>zcÁ</pre><pre>%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2b</pre><pre>%System%\exA1uvD2oFpHsJd.exe</pre><pre><:@87@:;?</pre><pre>:9=87@;9?</pre><pre>:9=87@87@</pre><pre>99?87@>:@</pre><pre>58@87@;9?</pre><pre>:7@7:?99?</pre><pre>:8>:7@96?</pre><pre>95@99?<8></pre><pre>7:?7:?:8></pre><pre><7@87@7:?</pre><pre>87@;9?87@</pre><pre>;9?87@99?</pre><pre>7:?99?88>;9?</pre><pre>:8>99?87@</pre><pre><7@99?7:?57?</pre><pre>68@;9?99?69></pre><pre>?8?:7@68@</pre><pre>99?69>87@87@;9?</pre><pre>69>99?87@</pre><pre>9:>:7@;9?</pre><pre>87@87@9:></pre><pre>87@87@<8></pre><pre>_^`99?69=</pre><pre>qV!.HS6(</pre><pre>;/%URTaMLe</pre><pre>?5.HGIJ;8</pre><pre>qW".FS5*</pre><pre>pP|O.xD</pre><pre>444888888888888</pre><pre>44@444<44</pre><pre>N.tND/</pre><pre>>.wA1u?/q>.s<*u8&|3"</pre><pre>&.DAWI<|</pre><pre>$.YK=</pre><pre>.&!#.87"</pre><pre>).@.= :$</pre><pre>*"=/:1="%</pre><pre>uF%xR-wU</pre><pre>?5.vhV</pre><pre>AgjL2.lii</pre><pre>hKN.zhf</pre><pre>333333333333</pre><pre>333333333</pre><pre>333333333333333</pre><pre>333333333333333333</pre><pre>.IZUUS{> 3a</pre><pre>ð-vF.}I-g@ .,* /</pre><pre>K1.hv</pre><pre>.ËBBBBBBBBBBBt\V</pre><pre>.ËBBBBBBBBBBBt\Vdr</pre><pre>1(#%1;:$</pre><pre>wO%fH&</pre><pre>O.FjZ</pre><pre>k.Kji</pre><pre>.pu!zl</pre><pre>.iuQ^</pre><pre>9S%CL</pre><pre>Z.pHh</pre><pre>%r9%s</pre><pre>v.Uo7</pre><pre>[n;e%d</pre><pre>,.dnN</pre><pre>%0uFjf</pre><pre>.Noi#</pre><pre>V-7w}</pre><pre>X.ov6</pre><pre>.eQR[</pre><pre>9f[</pre><pre>=dJ.YM</pre><pre>*.egK</pre><pre>@k..tNNm</pre><pre>V.jgo</pre><pre>%FPuU !^w\</pre><pre>e.rl;</pre><pre>4vi_ag.Be</pre><pre>.cg$:</pre><pre>%xT)W</pre><pre>.Bj7=</pre><pre>8=d%f</pre><pre>II.lVE</pre><pre>N}-.Sa4m</pre><pre>NJi%s</pre><pre>qL.ch</pre><pre>.Pu'a</pre><pre>&jf.lg</pre><pre>$7Z.gzc</pre><pre>Z.wjay</pre><pre>M.KS!</pre><pre>Y%uJgF></pre><pre>p.ZSy</pre><pre>p.VOy</pre><pre>%cP#S</pre><pre>i0_%}</pre><pre>Lc,%D</pre><pre>je.dc7^</pre><pre>.zEG#</pre><pre>p;%sp</pre><pre>Vz?.wJs</pre><pre>MsgC-"</pre><pre>UJ.KWEg1</pre><pre>w.Ls2</pre><pre>S9.aBS</pre><pre>y.wM_</pre><pre>:U.Qw</pre><pre>aúb</pre><pre>\#e.CF</pre><pre>.fg~la</pre><pre>j%S94</pre><pre>%x4}@0</pre><pre>.ak{{</pre><pre>@%u1I:KZ</pre><pre>g.gt#</pre><pre>.PSsQ?r</pre><pre>,H9\%xeb!</pre><pre>J.xn;,</pre><pre>B%9U1</pre><pre>Lv.sD&</pre><pre>@.zk-m4</pre><pre>v}c%uQ</pre><pre>#.VnC&</pre><pre>cl.rb</pre><pre>Un%x3;</pre><pre>,.el"</pre><pre>s8%u4</pre><pre>!.qEi</pre><pre>'%Ud@</pre><pre>.gI[b</pre><pre> Ih,Nl.Jh)Lh)</pre><pre>=;=9'!1'*!74.'8&;0</pre><pre>v.YeS2</pre><pre>eRSsH</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>GetProcessHeap</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegFlushKey</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GetViewportExtEx</pre><pre>GetViewportOrgEx</pre><pre>GdiplusShutdown</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>GetKeyState</pre><pre>CreateDialogIndirectParamA</pre><pre>EnumWindows</pre><pre>GetAsyncKeyState</pre><pre>GetKeyNameTextA</pre><pre>MapVirtualKeyA</pre><pre>keybd_event</pre><pre>MapVirtualKeyExA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayout</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>*!74.'8&;0</pre><pre>2r.qbi</pre><pre>KeyE</pre><pre>%dTR#</pre><pre>k.pc'</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>COMDLG32.dll</pre><pre>GDI32.dll</pre><pre>gdiplus.dll</pre><pre>IMM32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>MSIMG32.dll</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>oledlg.dll</pre><pre>PSAPI.DLL</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>WINMM.dll</pre><pre>WINSPOOL.DRV</pre><pre>WSOCK32.dll</pre><pre>Dr.Web</pre><pre>Windows has found spyware infection on your computer!</pre><pre>Click here to update your Windows antivirus software</pre><pre>A</pre><pre><serialkey></serialkey></pre><pre>accKeyboardShortcut</pre><pre>hhctrl.ocx</pre><pre>SHELL32.DLL</pre><pre>dwmapi.dll</pre><pre>UxTheme.dll</pre><pre>USER32.DLL</pre><pre>PRICHED20.DLL</pre><pre>ekernel32.dll</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>svchost.exe</pre><pre>Send Error Report</pre><pre>We have created an error report that you can send to us. We will treat</pre><pre>this report as confidential and anonymous.</pre><pre>To see what data this error report contains, click here.</pre><pre>svchost.exe was replaced with unauthorized program.</pre><pre>Windows Security Alert</pre><pre>Windows Firewall has blocked this program from accepting connections from the Internet or a network. If you recognize the program or trust the publisher, you can ublock it.</pre><pre>Windows Security Center</pre><pre>All Files (*.*)</pre><pre>No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.</pre><pre>Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.</pre><pre>Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.</pre><pre>#Unable to load mail system support.</pre><pre>Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents</pre><pre>%s [Recovered]</pre><pre>3.0.0.2</pre><b>exA1uvD2oFpHsJd.exe_1864_rwx_00400000_008B2000:</b><pre>`.rsrc</pre><pre>.Wj8hl83</pre><pre>V SSh</pre><pre>N SSh</pre><pre>P SSh</pre><pre>QSSh lW</pre><pre>tFHt:Ht.Ht"Hu`</pre><pre>j%XtL9E</pre><pre>tWSShW</pre><pre>tl9_ tgSSh</pre><pre>SSSSh0</pre><pre>t'SShl</pre><pre>u$SShe</pre><pre>@ SSHPWj</pre><pre>FTCP</pre><pre>u.Ph$</pre><pre>tAHt.HHt</pre><pre><SShG><pre>FtPW</pre><pre>SSh@B</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>1.2.5</pre><pre>%s.zl</pre><pre>avgnt.exe</pre><pre>avgwdsvc.exe</pre><pre>AVGIDSAgent.exe</pre><pre>ccsvchst.exe</pre><pre>AvastUI.exe</pre><pre>mcagent.exe</pre><pre>ldr.ini</pre><pre>chrome.exe</pre><pre>iexplore.exe</pre><pre>http://google.com</pre><pre>http://%s</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>win32msmsgs.exe</pre><pre>win32itunes.exe</pre><pre>win32java.exe</pre><pre>win32wmplayer.exe</pre><pre>win32photoshop.exe</pre><pre>win32outlook.exe</pre><pre>win32excel.exe</pre><pre>win32winword.exe</pre><pre>win32safari.exe</pre><pre>win32firefox.exe</pre><pre>win32opera.exe</pre><pre>win32iexplore.exe</pre><pre>java.exe</pre><pre>drweb</pre><pre>http://%s/r.php?ver=14&id=%s&hwid=%s&p=%d&os=%s</pre><pre>9992665263</pre><pre>%s (%s:%d)</pre><pre>c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>%s %s%s</pre><pre>windows\</pre><pre>chargeyourorder.com</pre><pre>ordersonlinenow.com</pre><pre>mediaforclouds.com</pre><pre>ourbigvideostore.com</pre><pre>%d_%d_%d</pre><pre>%d_%d</pre><pre>%s\%s</pre><pre>sysl32.dll</pre><pre>TH_%d</pre><pre>http://photodatastore.com/sp.php?adv=%s&who=S</pre><pre>: Support</pre><pre>&key=</pre><pre>License key validated.</pre><pre>http://%s/ex2.php</pre><pre>%s "%s" %s</pre><pre>o@cmd.exe /c "%s"</pre><pre>del "%s"</pre><pre>if exist "%s" goto a</pre><pre>\oc%d_w32.bat</pre><pre>http://</pre><pre>HTTP/1.1 200 OK</pre><pre>HTTP/1.0 200 OK</pre><pre>POST %s HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</pre><pre>Content-Length: %u</pre><pre>GET %s HTTP/1.1</pre><pre>User-Agent: mozilla/2.0</pre><pre>spooler.exe</pre><pre>server.exe</pre><pre>winlogon.exe</pre><pre>un_inst.exe</pre><pre>IEUser.exe</pre><pre>SearchProtocolHost.exe</pre><pre>DllHost.exe</pre><pre>csrss.exe</pre><pre>Windows has detected malicious programs running on your computer.</pre><pre>Click here to activate your Windows antivirus software</pre><pre>http://%s/sig/?id=%s&system=%s&hwid=%s&n=%s</pre><pre>%s|%s|%d</pre><pre>%d.%d.%d</pre><pre>9972665267</pre><pre>9972439689</pre><pre>9882676258</pre><pre>9859198478</pre><pre>9691962564</pre><pre>9378969331</pre><pre>9376471437</pre><pre>9285678582</pre><pre>9221581871</pre><pre>9217457527</pre><pre>9217234169</pre><pre>8874598414</pre><pre>8861321723</pre><pre>8857988267</pre><pre>8838996945</pre><pre>8593214778</pre><pre>8567493449</pre><pre>8558121691</pre><pre>8525752718</pre><pre>8367636975</pre><pre>8356392329</pre><pre>8355289195</pre><pre>8355259195</pre><pre>8196375436</pre><pre>8196345414</pre><pre>8135259195</pre><pre>8132856849</pre><pre>7885832169</pre><pre>7852676282</pre><pre>7715438456</pre><pre>7659421734</pre><pre>7614643697</pre><pre>7592174565</pre><pre>7414541691</pre><pre>7246526785</pre><pre>6899692327</pre><pre>6874821958</pre><pre>6641354156</pre><pre>6637321723</pre><pre>6613528235</pre><pre>6593439566</pre><pre>6526765122</pre><pre>6378962334</pre><pre>6376736918</pre><pre>6315563723</pre><pre>5956636198</pre><pre>5932169186</pre><pre>5919825316</pre><pre>5898714538</pre><pre>5688289871</pre><pre>5379885698</pre><pre>5268174898</pre><pre>5267873675</pre><pre>4723274453</pre><pre>4687259849</pre><pre>4655834325</pre><pre>4439154958</pre><pre>4414895278</pre><pre>4281328365</pre><pre>4268761565</pre><pre>4261996943</pre><pre>4261328365</pre><pre>4235528916</pre><pre>4179195823</pre><pre>4159763697</pre><pre>4146739331</pre><pre>3961218556</pre><pre>3945638233</pre><pre>3924394865</pre><pre>3899836863</pre><pre>3798826765</pre><pre>3787693326</pre><pre>3787625649</pre><pre>3766368952</pre><pre>3619747186</pre><pre>3554156516</pre><pre>3541567625</pre><pre>2961332892</pre><pre>2838763789</pre><pre>2833525916</pre><pre>2819969298</pre><pre>2698736776</pre><pre>2676258959</pre><pre>2621948916</pre><pre>2619969432</pre><pre>2356258973</pre><pre>2343258649</pre><pre>2294654156</pre><pre>2285876582</pre><pre>1961232582</pre><pre>1837663686</pre><pre>1835437232</pre><pre>1789847197</pre><pre>1579859198</pre><pre>1354156739</pre><pre>1225242171</pre><pre>1196121858</pre><pre>1186796371</pre><pre>1171249582</pre><pre>1148762586</pre><pre>svg.ini</pre><pre>software\Microsoft\Windows\CurrentVersion</pre><pre>{5A92A751-F926-4BB9-872E-BEC4A4CD571F}</pre><pre>%u.%u.%u.%u</pre><pre>CluAdmin.exe</pre><pre>setup.exe</pre><pre>wab.exe</pre><pre>paint.exe</pre><pre>pools.exe</pre><pre>user32.exe</pre><pre>explorer.exe</pre><pre>notepad.exe</pre><pre>wmplayer.exe</pre><pre>msimn.exe</pre><pre>iexplorer.exe</pre><pre>calc.exe</pre><pre>%s\%s.exe</pre><pre>%s%s.ico</pre><pre>comctl32.dll</pre><pre>5_%d_%d_%d</pre><pre>4_%d_%d_%d</pre><pre>CSupportDlg</pre><pre>http://jn%s.%s/forum.cgi</pre><pre>email=%s&message=%s</pre><pre>HKEY\LM</pre><pre>HKEY\CU</pre><pre>%s\%s.ico</pre><pre>DEL_%d</pre><pre>Defs39491.db</pre><pre>XXXXXXXXXX</pre><pre>[%d] %s</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\NetworkCards</pre><pre>user32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>Afx:%p:%x:%p:%p:%p</pre><pre>Afx:%p:%x</pre><pre>commctrl_DragListMsg</pre><pre>CCmdTarget</pre><pre>CNotSupportedException</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>KERNEL32.DLL</pre><pre>%s%s.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>lX-X-x-XX-XXXXXX</pre><pre>RegOpenKeyTransactedA</pre><pre>Advapi32.dll</pre><pre>RegCreateKeyTransactedA</pre><pre>RegDeleteKeyTransactedA</pre><pre>comdlg32.dll</pre><pre>shell32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp</pre><pre>mfcm100.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>RegDeleteKeyExA</pre><pre>lXXxXXXXXXXX</pre><pre>Shell32.dll</pre><pre>%s:%x:%x:%x:%x</pre><pre>kernel32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>%sMFCToolBar-%d%x</pre><pre>%sMFCToolBar-%d</pre><pre>%sMFCToolBarParameters</pre><pre>TOOLBAR_RESETKEYBAORD</pre><pre>&%d %s</pre><pre>MFCLink_UrlPrefix</pre><pre>MFCLink_Url</pre><pre>ole32.dll</pre><pre>CMDITabProxyWnd</pre><pre>CMDIChildWndEx</pre><pre>CMDIFrameWndEx</pre><pre>KeyboardManager</pre><pre>MSG_CHECKEMPTYMINIFRAME</pre><pre>%sDockingManager-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp</pre><pre>%sPane-%d%x</pre><pre>%sPane-%d</pre><pre>%sBasePane-%d%x</pre><pre>%sBasePane-%d</pre><pre>windows</pre><pre>ShowCmd</pre><pre>%c%d%c%s</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp</pre><pre>Hex={X,X,X}</pre><pre>CMDIChildWnd</pre><pre>CMDIFrameWnd</pre><pre>CMDIClientAreaWnd</pre><pre>%sMDIClientArea-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp</pre><pre>%sMFCOutlookBar-%d%x</pre><pre>%sMFCOutlookBar-%d</pre><pre>%sDockablePaneAdapter-%d%x</pre><pre>%sDockablePaneAdapter-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp</pre><pre>CMFCToolBarsKeyboardPropertyPage</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp</pre><pre>RGB(%d, %d, %d)</pre><pre>ENABLE_KEYS</pre><pre>KEYS_MENU</pre><pre>KEYS</pre><pre>%sMFCTasksPane-%d%x</pre><pre>%sMFCTasksPane-%d</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>F%D,3</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCException@@</pre><pre>.?AVCSupportDlg@@</pre><pre>.?AVCWEbEvents_Bill@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.?AVCCmdUI@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCOleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCArchiveException@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@</pre><pre>.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.PAVCFileException@@</pre><pre>.?AVCMFCToolBarCmdUI@@</pre><pre>.?AVCMDITabProxyWnd@@</pre><pre>.?AVCMDIChildWndEx@@</pre><pre>.?AVCMDIChildWnd@@</pre><pre>.?AVCMDIFrameWndEx@@</pre><pre>.?AVCMDIFrameWnd@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.?AVCMFCCmdUsageCount@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@</pre><pre>.?AVCMFCAcceleratorKey@@</pre><pre>.?AVCMFCColorBarCmdUI@@</pre><pre>.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@</pre><pre>.?AVCMDIClientAreaWnd@@</pre><pre>.?AVCMFCRibbonCmdUI@@</pre><pre>.?AVCMFCToolBarsKeyboardPropertyPage@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@</pre><pre>.?AVCMFCRibbonKeyTip@@</pre><pre>.?AVCMFCTasksPaneToolBarCmdUI@@</pre><pre>.?AVCMFCAcceleratorKeyAssignCtrl@@</pre><pre>zcÁ</pre><pre>%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2b</pre><pre>%System%\exA1uvD2oFpHsJd.exe</pre><pre><:@87@:;?</pre><pre>:9=87@;9?</pre><pre>:9=87@87@</pre><pre>99?87@>:@</pre><pre>58@87@;9?</pre><pre>:7@7:?99?</pre><pre>:8>:7@96?</pre><pre>95@99?<8></pre><pre>7:?7:?:8></pre><pre><7@87@7:?</pre><pre>87@;9?87@</pre><pre>;9?87@99?</pre><pre>7:?99?88>;9?</pre><pre>:8>99?87@</pre><pre><7@99?7:?57?</pre><pre>68@;9?99?69></pre><pre>?8?:7@68@</pre><pre>99?69>87@87@;9?</pre><pre>69>99?87@</pre><pre>9:>:7@;9?</pre><pre>87@87@9:></pre><pre>87@87@<8></pre><pre>_^`99?69=</pre><pre>qV!.HS6(</pre><pre>;/%URTaMLe</pre><pre>?5.HGIJ;8</pre><pre>qW".FS5*</pre><pre>pP|O.xD</pre><pre>444888888888888</pre><pre>44@444<44</pre><pre>N.tND/</pre><pre>>.wA1u?/q>.s<*u8&|3"</pre><pre>&.DAWI<|</pre><pre>$.YK=</pre><pre>.&!#.87"</pre><pre>).@.= :$</pre><pre>*"=/:1="%</pre><pre>uF%xR-wU</pre><pre>?5.vhV</pre><pre>AgjL2.lii</pre><pre>hKN.zhf</pre><pre>333333333333</pre><pre>333333333</pre><pre>333333333333333</pre><pre>333333333333333333</pre><pre>.IZUUS{> 3a</pre><pre>ð-vF.}I-g@ .,* /</pre><pre>K1.hv</pre><pre>.ËBBBBBBBBBBBt\V</pre><pre>.ËBBBBBBBBBBBt\Vdr</pre><pre>1(#%1;:$</pre><pre>wO%fH&</pre><pre>O.FjZ</pre><pre>k.Kji</pre><pre>.pu!zl</pre><pre>.iuQ^</pre><pre>9S%CL</pre><pre>Z.pHh</pre><pre>%r9%s</pre><pre>v.Uo7</pre><pre>[n;e%d</pre><pre>,.dnN</pre><pre>%0uFjf</pre><pre>.Noi#</pre><pre>V-7w}</pre><pre>X.ov6</pre><pre>.eQR[</pre><pre>9f[</pre><pre>=dJ.YM</pre><pre>*.egK</pre><pre>@k..tNNm</pre><pre>V.jgo</pre><pre>%FPuU !^w\</pre><pre>e.rl;</pre><pre>4vi_ag.Be</pre><pre>.cg$:</pre><pre>%xT)W</pre><pre>.Bj7=</pre><pre>8=d%f</pre><pre>II.lVE</pre><pre>N}-.Sa4m</pre><pre>NJi%s</pre><pre>qL.ch</pre><pre>.Pu'a</pre><pre>&jf.lg</pre><pre>$7Z.gzc</pre><pre>Z.wjay</pre><pre>M.KS!</pre><pre>Y%uJgF></pre><pre>p.ZSy</pre><pre>p.VOy</pre><pre>%cP#S</pre><pre>i0_%}</pre><pre>Lc,%D</pre><pre>je.dc7^</pre><pre>.zEG#</pre><pre>p;%sp</pre><pre>Vz?.wJs</pre><pre>MsgC-"</pre><pre>UJ.KWEg1</pre><pre>w.Ls2</pre><pre>S9.aBS</pre><pre>y.wM_</pre><pre>:U.Qw</pre><pre>aúb</pre><pre>\#e.CF</pre><pre>.fg~la</pre><pre>j%S94</pre><pre>%x4}@0</pre><pre>.ak{{</pre><pre>@%u1I:KZ</pre><pre>g.gt#</pre><pre>.PSsQ?r</pre><pre>,H9\%xeb!</pre><pre>J.xn;,</pre><pre>B%9U1</pre><pre>Lv.sD&</pre><pre>@.zk-m4</pre><pre>v}c%uQ</pre><pre>#.VnC&</pre><pre>cl.rb</pre><pre>Un%x3;</pre><pre>,.el"</pre><pre>s8%u4</pre><pre>!.qEi</pre><pre>'%Ud@</pre><pre>.gI[b</pre><pre> Ih,Nl.Jh)Lh)</pre><pre>=;=9'!1'*!74.'8&;0</pre><pre>v.YeS2</pre><pre>eRSsH</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>GetProcessHeap</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegFlushKey</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GetViewportExtEx</pre><pre>GetViewportOrgEx</pre><pre>GdiplusShutdown</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>GetKeyState</pre><pre>CreateDialogIndirectParamA</pre><pre>EnumWindows</pre><pre>GetAsyncKeyState</pre><pre>GetKeyNameTextA</pre><pre>MapVirtualKeyA</pre><pre>keybd_event</pre><pre>MapVirtualKeyExA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayout</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>*!74.'8&;0</pre><pre>2r.qbi</pre><pre>KeyE</pre><pre>%dTR#</pre><pre>k.pc'</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>COMDLG32.dll</pre><pre>GDI32.dll</pre><pre>gdiplus.dll</pre><pre>IMM32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>MSIMG32.dll</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>oledlg.dll</pre><pre>PSAPI.DLL</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>WINMM.dll</pre><pre>WINSPOOL.DRV</pre><pre>WSOCK32.dll</pre><pre>Dr.Web</pre><pre>Windows has found spyware infection on your computer!</pre><pre>Click here to update your Windows antivirus software</pre><pre>A</pre><pre><serialkey></serialkey></pre><pre>accKeyboardShortcut</pre><pre>hhctrl.ocx</pre><pre>SHELL32.DLL</pre><pre>dwmapi.dll</pre><pre>UxTheme.dll</pre><pre>USER32.DLL</pre><pre>PRICHED20.DLL</pre><pre>ekernel32.dll</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>svchost.exe</pre><pre>Send Error Report</pre><pre>We have created an error report that you can send to us. We will treat</pre><pre>this report as confidential and anonymous.</pre><pre>To see what data this error report contains, click here.</pre><pre>svchost.exe was replaced with unauthorized program.</pre><pre>Windows Security Alert</pre><pre>Windows Firewall has blocked this program from accepting connections from the Internet or a network. If you recognize the program or trust the publisher, you can ublock it.</pre><pre>Windows Security Center</pre><pre>All Files (*.*)</pre><pre>No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.</pre><pre>Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.</pre><pre>Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.</pre><pre>#Unable to load mail system support.</pre><pre>Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents</pre><pre>%s [Recovered]</pre><pre>3.0.0.2</pre></SShG></pre></SShG>