Fake-AV.Win32.FakeAV.iije (Kaspersky), Trojan.Generic.KD.369558 (B) (Emsisoft), Trojan.Generic.KD.369558 (AdAware)Behaviour: Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5deeff05129a1d4aaf5bac9091d9058f
SHA1: 07f42d03bf6786a9720afca3c21f7c2b28cb429d
SHA256: 77cc991cadb6bd6db66df45324f62786ad74e819928228d5a1369b4661583ee3
SSDeep: 49152:BJqwJxr 7bFSMEFvEVuAuB2xG5d54d8sB YHGST6GzY:BJq9DEFvEMFB2ASgg6G
Size: 2390016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Fusion Install
Created at: 2005-11-12 20:39:01
Analyzed on: WindowsXP SP3 32-bit
Summary: FakeAV programs generate exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove those reported threats.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Fake-AV creates the following process(es):
wuauclt.exe:540
%original file name%.exe:1656
The Fake-AV injects its code into the following process(es):
exA1uvD2oFpHsJd.exe:1864
File activity
The process exA1uvD2oFpHsJd.exe:1864 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2bOpen Cloud AV.ico (676 bytes)
%Documents and Settings%\%current user%\Desktop\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Open Cloud AV\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\ldr.ini (1644 bytes)
The Fake-AV deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process wuauclt.exe:540 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Fake-AV deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1656 makes changes in the file system.
The Fake-AV creates and/or writes to the following file(s):
%System%\config\software (838 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
%System%\exA1uvD2oFpHsJd.exe (10752 bytes)
Registry activity
The process exA1uvD2oFpHsJd.exe:1864 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 20 B8 1F 8C 17 F1 92 5A DC EA 65 FC 70 D3 B8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process %original file name%.exe:1656 makes changes in the system registry.
The Fake-AV creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F D9 7C 48 14 CE 3C B2 25 70 8C 29 46 45 33 CC"
To automatically run itself each time Windows is booted, the Fake-AV adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xRZqhYCwkVlNx0c8234A" = "%System%\exA1uvD2oFpHsJd.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:540
%original file name%.exe:1656 - Delete the original Fake-AV file.
- Delete or disinfect the following files created/modified by the Fake-AV:
%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2bOpen Cloud AV.ico (676 bytes)
%Documents and Settings%\%current user%\Desktop\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Open Cloud AV\Open Cloud AV.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\ldr.ini (1644 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%System%\config\software (838 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)
%System%\exA1uvD2oFpHsJd.exe (10752 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xRZqhYCwkVlNx0c8234A" = "%System%\exA1uvD2oFpHsJd.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1117300 | 1117696 | 4.91129 | 75caa66075b6477bd57a834bec9524b8 |
.rdata | 1122304 | 1268 | 1536 | 3.51403 | 9e6b659a192e853f991203dd64a0937b |
.data | 1126400 | 1268280 | 1268736 | 5.54506 | ed1563f9848845eb710b9a918ac318de |
.reloc | 2396160 | 6721536 | 1024 | 1.34685 | 11b3cd8b4cbfbb39a2e04bba2e5b8bdb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://google.com/ | 173.194.32.166 |
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl | 23.37.37.163 |
hxxp://crl.verisign.com/pca3-g2.crl | 23.37.37.163 |
hxxp://crl.verisign.com/pca3.crl | 23.37.37.163 |
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl | 23.37.37.163 |
www.download.windowsupdate.com | 212.30.134.177 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "ca78ff71d328047ab1f6f2dd982e54d9:1399928710"
Last-Modified: Mon, 12 May 2014 21:05:10 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Tue, 13 May 2014 03:30:38 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140512210003Z..140526210003Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<
<<< skipped >>>
GET /pca3-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "072641a27cd10308fabc881f069f37c1:1396126208"
Last-Modified: Sat, 29 Mar 2014 20:50:08 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Tue, 13 May 2014 03:30:37 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140320000000Z..140630235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H................V.!F.Y..p.V......s..%..*l.z=...R./.F....q.......D.t......0b..?.R:9.(.|.....VBp8.......PZ...[o\p...U...........$).V.D....B@......
<<
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"
Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Tue, 13 May 2014 03:30:40 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............_.w..J.l....[..H.X..)x.^.....S.O..v....K|.~.RP.k^.R.0........oF.l.w..4.W...A...}..8*.:rO6........%.C...........6$s....rQ....v...HTTP/1.1 200 OK..Server: Apache..ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"..Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Tue, 13 May 2014 03:30:40 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P.
<<
<<< skipped >>>
GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "7ec0494a7288a550c3f3de408e9ca884:1399928710"
Last-Modified: Mon, 12 May 2014 21:05:10 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Tue, 13 May 2014 03:30:40 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140512210002Z..140526210002Z0..h0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<
<<< skipped >>>
GET / HTTP/1.1
Host: google.com
User-Agent: mozilla/2.0
Connection: close
HTTP/1.1 302 Found
Location: hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU_3yJeaayQOXlIHIBQ
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=f6c23712edbd5a1d:FF=0:TM=1399951821:LM=1399951821:S=OQTHMyaPiQuxlsvb; expires=Thu, 12-May-2016 03:30:21 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=Od5HoomjUViLtJRDNoQ3IG5m19_yQ2aIjFi5_CD9aRX_dttRQf_PQKL4wdX9Uyu_pFbnSjtTFLUCNtEsVCXFLnsFJRpzFoD0YzTwUxrYqNdRkx4VAl6g04rzoI8lm8Ed; expires=Wed, 12-Nov-2014 03:30:21 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Tue, 13 May 2014 03:30:21 GMT
Server: gws
Content-Length: 262
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU_3yJeaayQOXlIHIBQ">here</A>...</BODY></HTML>....
GET / HTTP/1.1
Host: google.com
User-Agent: mozilla/2.0
Connection: close
HTTP/1.1 302 Found
Location: hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU5TFJqH_ywOpo4H4BQ
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=c924d52e60b41975:FF=0:TM=1399951821:LM=1399951821:S=ZCyxXXYk2D8IprA9; expires=Thu, 12-May-2016 03:30:21 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=daOBenXY2r7DlDFxIJFnXvQQXKLndHtlO-HLMsio9PU-a7ciJk32PKVB_ep7IKIcf99n0uwyEBmm-xtHd_yGszlNkY5UhBcZyJeHTedPWSRRCZp0TZMAEh8a-hLMsCQh; expires=Wed, 12-Nov-2014 03:30:21 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Tue, 13 May 2014 03:30:21 GMT
Server: gws
Content-Length: 262
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gws_rd=cr&ei=zZFxU5TFJqH_ywOpo4H4BQ">here</A>...</BODY></HTML>....
Map
The Fake-AV connects to the servers at the folowing location(s):
Strings from Dumps
exA1uvD2oFpHsJd.exe_1864:
`.rsrc
`.rsrc
.Wj8hl83
.Wj8hl83
V SSh
V SSh
N SSh
N SSh
P SSh
P SSh
QSSh lW
QSSh lW
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
j%XtL9E
j%XtL9E
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
SSSSh0
SSSSh0
t'SShl
t'SShl
u$SShe
u$SShe
@ SSHPWj
@ SSHPWj
FTCP
FTCP
u.Ph$
u.Ph$
tAHt.HHt
tAHt.HHt
<SShG><pre>FtPW</pre><pre>SSh@B</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>1.2.5</pre><pre>%s.zl</pre><pre>avgnt.exe</pre><pre>avgwdsvc.exe</pre><pre>AVGIDSAgent.exe</pre><pre>ccsvchst.exe</pre><pre>AvastUI.exe</pre><pre>mcagent.exe</pre><pre>ldr.ini</pre><pre>chrome.exe</pre><pre>iexplore.exe</pre><pre>http://google.com</pre><pre>http://%s</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>win32msmsgs.exe</pre><pre>win32itunes.exe</pre><pre>win32java.exe</pre><pre>win32wmplayer.exe</pre><pre>win32photoshop.exe</pre><pre>win32outlook.exe</pre><pre>win32excel.exe</pre><pre>win32winword.exe</pre><pre>win32safari.exe</pre><pre>win32firefox.exe</pre><pre>win32opera.exe</pre><pre>win32iexplore.exe</pre><pre>java.exe</pre><pre>drweb</pre><pre>http://%s/r.php?ver=14&id=%s&hwid=%s&p=%d&os=%s</pre><pre>9992665263</pre><pre>%s (%s:%d)</pre><pre>c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>%s %s%s</pre><pre>windows\</pre><pre>chargeyourorder.com</pre><pre>ordersonlinenow.com</pre><pre>mediaforclouds.com</pre><pre>ourbigvideostore.com</pre><pre>%d_%d_%d</pre><pre>%d_%d</pre><pre>%s\%s</pre><pre>sysl32.dll</pre><pre>TH_%d</pre><pre>http://photodatastore.com/sp.php?adv=%s&who=S</pre><pre>: Support</pre><pre>&key=</pre><pre>License key validated.</pre><pre>http://%s/ex2.php</pre><pre>%s "%s" %s</pre><pre>o@cmd.exe /c "%s"</pre><pre>del "%s"</pre><pre>if exist "%s" goto a</pre><pre>\oc%d_w32.bat</pre><pre>http://</pre><pre>HTTP/1.1 200 OK</pre><pre>HTTP/1.0 200 OK</pre><pre>POST %s HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</pre><pre>Content-Length: %u</pre><pre>GET %s HTTP/1.1</pre><pre>User-Agent: mozilla/2.0</pre><pre>spooler.exe</pre><pre>server.exe</pre><pre>winlogon.exe</pre><pre>un_inst.exe</pre><pre>IEUser.exe</pre><pre>SearchProtocolHost.exe</pre><pre>DllHost.exe</pre><pre>csrss.exe</pre><pre>Windows has detected malicious programs running on your computer.</pre><pre>Click here to activate your Windows antivirus software</pre><pre>http://%s/sig/?id=%s&system=%s&hwid=%s&n=%s</pre><pre>%s|%s|%d</pre><pre>%d.%d.%d</pre><pre>9972665267</pre><pre>9972439689</pre><pre>9882676258</pre><pre>9859198478</pre><pre>9691962564</pre><pre>9378969331</pre><pre>9376471437</pre><pre>9285678582</pre><pre>9221581871</pre><pre>9217457527</pre><pre>9217234169</pre><pre>8874598414</pre><pre>8861321723</pre><pre>8857988267</pre><pre>8838996945</pre><pre>8593214778</pre><pre>8567493449</pre><pre>8558121691</pre><pre>8525752718</pre><pre>8367636975</pre><pre>8356392329</pre><pre>8355289195</pre><pre>8355259195</pre><pre>8196375436</pre><pre>8196345414</pre><pre>8135259195</pre><pre>8132856849</pre><pre>7885832169</pre><pre>7852676282</pre><pre>7715438456</pre><pre>7659421734</pre><pre>7614643697</pre><pre>7592174565</pre><pre>7414541691</pre><pre>7246526785</pre><pre>6899692327</pre><pre>6874821958</pre><pre>6641354156</pre><pre>6637321723</pre><pre>6613528235</pre><pre>6593439566</pre><pre>6526765122</pre><pre>6378962334</pre><pre>6376736918</pre><pre>6315563723</pre><pre>5956636198</pre><pre>5932169186</pre><pre>5919825316</pre><pre>5898714538</pre><pre>5688289871</pre><pre>5379885698</pre><pre>5268174898</pre><pre>5267873675</pre><pre>4723274453</pre><pre>4687259849</pre><pre>4655834325</pre><pre>4439154958</pre><pre>4414895278</pre><pre>4281328365</pre><pre>4268761565</pre><pre>4261996943</pre><pre>4261328365</pre><pre>4235528916</pre><pre>4179195823</pre><pre>4159763697</pre><pre>4146739331</pre><pre>3961218556</pre><pre>3945638233</pre><pre>3924394865</pre><pre>3899836863</pre><pre>3798826765</pre><pre>3787693326</pre><pre>3787625649</pre><pre>3766368952</pre><pre>3619747186</pre><pre>3554156516</pre><pre>3541567625</pre><pre>2961332892</pre><pre>2838763789</pre><pre>2833525916</pre><pre>2819969298</pre><pre>2698736776</pre><pre>2676258959</pre><pre>2621948916</pre><pre>2619969432</pre><pre>2356258973</pre><pre>2343258649</pre><pre>2294654156</pre><pre>2285876582</pre><pre>1961232582</pre><pre>1837663686</pre><pre>1835437232</pre><pre>1789847197</pre><pre>1579859198</pre><pre>1354156739</pre><pre>1225242171</pre><pre>1196121858</pre><pre>1186796371</pre><pre>1171249582</pre><pre>1148762586</pre><pre>svg.ini</pre><pre>software\Microsoft\Windows\CurrentVersion</pre><pre>{5A92A751-F926-4BB9-872E-BEC4A4CD571F}</pre><pre>%u.%u.%u.%u</pre><pre>CluAdmin.exe</pre><pre>setup.exe</pre><pre>wab.exe</pre><pre>paint.exe</pre><pre>pools.exe</pre><pre>user32.exe</pre><pre>explorer.exe</pre><pre>notepad.exe</pre><pre>wmplayer.exe</pre><pre>msimn.exe</pre><pre>iexplorer.exe</pre><pre>calc.exe</pre><pre>%s\%s.exe</pre><pre>%s%s.ico</pre><pre>comctl32.dll</pre><pre>5_%d_%d_%d</pre><pre>4_%d_%d_%d</pre><pre>CSupportDlg</pre><pre>http://jn%s.%s/forum.cgi</pre><pre>email=%s&message=%s</pre><pre>HKEY\LM</pre><pre>HKEY\CU</pre><pre>%s\%s.ico</pre><pre>DEL_%d</pre><pre>Defs39491.db</pre><pre>XXXXXXXXXX</pre><pre>[%d] %s</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\NetworkCards</pre><pre>user32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>Afx:%p:%x:%p:%p:%p</pre><pre>Afx:%p:%x</pre><pre>commctrl_DragListMsg</pre><pre>CCmdTarget</pre><pre>CNotSupportedException</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>KERNEL32.DLL</pre><pre>%s%s.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>lX-X-x-XX-XXXXXX</pre><pre>RegOpenKeyTransactedA</pre><pre>Advapi32.dll</pre><pre>RegCreateKeyTransactedA</pre><pre>RegDeleteKeyTransactedA</pre><pre>comdlg32.dll</pre><pre>shell32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp</pre><pre>mfcm100.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>RegDeleteKeyExA</pre><pre>lXXxXXXXXXXX</pre><pre>Shell32.dll</pre><pre>%s:%x:%x:%x:%x</pre><pre>kernel32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>%sMFCToolBar-%d%x</pre><pre>%sMFCToolBar-%d</pre><pre>%sMFCToolBarParameters</pre><pre>TOOLBAR_RESETKEYBAORD</pre><pre>&%d %s</pre><pre>MFCLink_UrlPrefix</pre><pre>MFCLink_Url</pre><pre>ole32.dll</pre><pre>CMDITabProxyWnd</pre><pre>CMDIChildWndEx</pre><pre>CMDIFrameWndEx</pre><pre>KeyboardManager</pre><pre>MSG_CHECKEMPTYMINIFRAME</pre><pre>%sDockingManager-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp</pre><pre>%sPane-%d%x</pre><pre>%sPane-%d</pre><pre>%sBasePane-%d%x</pre><pre>%sBasePane-%d</pre><pre>windows</pre><pre>ShowCmd</pre><pre>%c%d%c%s</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp</pre><pre>Hex={X,X,X}</pre><pre>CMDIChildWnd</pre><pre>CMDIFrameWnd</pre><pre>CMDIClientAreaWnd</pre><pre>%sMDIClientArea-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp</pre><pre>%sMFCOutlookBar-%d%x</pre><pre>%sMFCOutlookBar-%d</pre><pre>%sDockablePaneAdapter-%d%x</pre><pre>%sDockablePaneAdapter-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp</pre><pre>CMFCToolBarsKeyboardPropertyPage</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp</pre><pre>RGB(%d, %d, %d)</pre><pre>ENABLE_KEYS</pre><pre>KEYS_MENU</pre><pre>KEYS</pre><pre>%sMFCTasksPane-%d%x</pre><pre>%sMFCTasksPane-%d</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>F%D,3</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCException@@</pre><pre>.?AVCSupportDlg@@</pre><pre>.?AVCWEbEvents_Bill@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.?AVCCmdUI@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCOleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCArchiveException@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@</pre><pre>.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.PAVCFileException@@</pre><pre>.?AVCMFCToolBarCmdUI@@</pre><pre>.?AVCMDITabProxyWnd@@</pre><pre>.?AVCMDIChildWndEx@@</pre><pre>.?AVCMDIChildWnd@@</pre><pre>.?AVCMDIFrameWndEx@@</pre><pre>.?AVCMDIFrameWnd@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.?AVCMFCCmdUsageCount@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@</pre><pre>.?AVCMFCAcceleratorKey@@</pre><pre>.?AVCMFCColorBarCmdUI@@</pre><pre>.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@</pre><pre>.?AVCMDIClientAreaWnd@@</pre><pre>.?AVCMFCRibbonCmdUI@@</pre><pre>.?AVCMFCToolBarsKeyboardPropertyPage@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@</pre><pre>.?AVCMFCRibbonKeyTip@@</pre><pre>.?AVCMFCTasksPaneToolBarCmdUI@@</pre><pre>.?AVCMFCAcceleratorKeyAssignCtrl@@</pre><pre>zcÁ</pre><pre>%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2b</pre><pre>%System%\exA1uvD2oFpHsJd.exe</pre><pre><:@87@:;?</pre><pre>:9=87@;9?</pre><pre>:9=87@87@</pre><pre>99?87@>:@</pre><pre>58@87@;9?</pre><pre>:7@7:?99?</pre><pre>:8>:7@96?</pre><pre>95@99?<8></pre><pre>7:?7:?:8></pre><pre><7@87@7:?</pre><pre>87@;9?87@</pre><pre>;9?87@99?</pre><pre>7:?99?88>;9?</pre><pre>:8>99?87@</pre><pre><7@99?7:?57?</pre><pre>68@;9?99?69></pre><pre>?8?:7@68@</pre><pre>99?69>87@87@;9?</pre><pre>69>99?87@</pre><pre>9:>:7@;9?</pre><pre>87@87@9:></pre><pre>87@87@<8></pre><pre>_^`99?69=</pre><pre>qV!.HS6(</pre><pre>;/%URTaMLe</pre><pre>?5.HGIJ;8</pre><pre>qW".FS5*</pre><pre>pP|O.xD</pre><pre>444888888888888</pre><pre>44@444<44</pre><pre>N.tND/</pre><pre>>.wA1u?/q>.s<*u8&|3"</pre><pre>&.DAWI<|</pre><pre>$.YK=</pre><pre>.&!#.87"</pre><pre>).@.= :$</pre><pre>*"=/:1="%</pre><pre>uF%xR-wU</pre><pre>?5.vhV</pre><pre>AgjL2.lii</pre><pre>hKN.zhf</pre><pre>333333333333</pre><pre>333333333</pre><pre>333333333333333</pre><pre>333333333333333333</pre><pre>.IZUUS{> 3a</pre><pre>ð-vF.}I-g@ .,* /</pre><pre>K1.hv</pre><pre>.ËBBBBBBBBBBBt\V</pre><pre>.ËBBBBBBBBBBBt\Vdr</pre><pre>1(#%1;:$</pre><pre>wO%fH&</pre><pre>O.FjZ</pre><pre>k.Kji</pre><pre>.pu!zl</pre><pre>.iuQ^</pre><pre>9S%CL</pre><pre>Z.pHh</pre><pre>%r9%s</pre><pre>v.Uo7</pre><pre>[n;e%d</pre><pre>,.dnN</pre><pre>%0uFjf</pre><pre>.Noi#</pre><pre>V-7w}</pre><pre>X.ov6</pre><pre>.eQR[</pre><pre>9f[</pre><pre>=dJ.YM</pre><pre>*.egK</pre><pre>@k..tNNm</pre><pre>V.jgo</pre><pre>%FPuU !^w\</pre><pre>e.rl;</pre><pre>4vi_ag.Be</pre><pre>.cg$:</pre><pre>%xT)W</pre><pre>.Bj7=</pre><pre>8=d%f</pre><pre>II.lVE</pre><pre>N}-.Sa4m</pre><pre>NJi%s</pre><pre>qL.ch</pre><pre>.Pu'a</pre><pre>&jf.lg</pre><pre>$7Z.gzc</pre><pre>Z.wjay</pre><pre>M.KS!</pre><pre>Y%uJgF></pre><pre>p.ZSy</pre><pre>p.VOy</pre><pre>%cP#S</pre><pre>i0_%}</pre><pre>Lc,%D</pre><pre>je.dc7^</pre><pre>.zEG#</pre><pre>p;%sp</pre><pre>Vz?.wJs</pre><pre>MsgC-"</pre><pre>UJ.KWEg1</pre><pre>w.Ls2</pre><pre>S9.aBS</pre><pre>y.wM_</pre><pre>:U.Qw</pre><pre>aúb</pre><pre>\#e.CF</pre><pre>.fg~la</pre><pre>j%S94</pre><pre>%x4}@0</pre><pre>.ak{{</pre><pre>@%u1I:KZ</pre><pre>g.gt#</pre><pre>.PSsQ?r</pre><pre>,H9\%xeb!</pre><pre>J.xn;,</pre><pre>B%9U1</pre><pre>Lv.sD&</pre><pre>@.zk-m4</pre><pre>v}c%uQ</pre><pre>#.VnC&</pre><pre>cl.rb</pre><pre>Un%x3;</pre><pre>,.el"</pre><pre>s8%u4</pre><pre>!.qEi</pre><pre>'%Ud@</pre><pre>.gI[b</pre><pre> Ih,Nl.Jh)Lh)</pre><pre>=;=9'!1'*!74.'8&;0</pre><pre>v.YeS2</pre><pre>eRSsH</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>GetProcessHeap</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegFlushKey</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GetViewportExtEx</pre><pre>GetViewportOrgEx</pre><pre>GdiplusShutdown</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>GetKeyState</pre><pre>CreateDialogIndirectParamA</pre><pre>EnumWindows</pre><pre>GetAsyncKeyState</pre><pre>GetKeyNameTextA</pre><pre>MapVirtualKeyA</pre><pre>keybd_event</pre><pre>MapVirtualKeyExA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayout</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>*!74.'8&;0</pre><pre>2r.qbi</pre><pre>KeyE</pre><pre>%dTR#</pre><pre>k.pc'</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>COMDLG32.dll</pre><pre>GDI32.dll</pre><pre>gdiplus.dll</pre><pre>IMM32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>MSIMG32.dll</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>oledlg.dll</pre><pre>PSAPI.DLL</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>WINMM.dll</pre><pre>WINSPOOL.DRV</pre><pre>WSOCK32.dll</pre><pre>Dr.Web</pre><pre>Windows has found spyware infection on your computer!</pre><pre>Click here to update your Windows antivirus software</pre><pre>A</pre><pre><serialkey></serialkey></pre><pre>accKeyboardShortcut</pre><pre>hhctrl.ocx</pre><pre>SHELL32.DLL</pre><pre>dwmapi.dll</pre><pre>UxTheme.dll</pre><pre>USER32.DLL</pre><pre>PRICHED20.DLL</pre><pre>ekernel32.dll</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>svchost.exe</pre><pre>Send Error Report</pre><pre>We have created an error report that you can send to us. We will treat</pre><pre>this report as confidential and anonymous.</pre><pre>To see what data this error report contains, click here.</pre><pre>svchost.exe was replaced with unauthorized program.</pre><pre>Windows Security Alert</pre><pre>Windows Firewall has blocked this program from accepting connections from the Internet or a network. If you recognize the program or trust the publisher, you can ublock it.</pre><pre>Windows Security Center</pre><pre>All Files (*.*)</pre><pre>No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.</pre><pre>Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.</pre><pre>Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.</pre><pre>#Unable to load mail system support.</pre><pre>Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents</pre><pre>%s [Recovered]</pre><pre>3.0.0.2</pre><b>exA1uvD2oFpHsJd.exe_1864_rwx_00400000_008B2000:</b><pre>`.rsrc</pre><pre>.Wj8hl83</pre><pre>V SSh</pre><pre>N SSh</pre><pre>P SSh</pre><pre>QSSh lW</pre><pre>tFHt:Ht.Ht"Hu`</pre><pre>j%XtL9E</pre><pre>tWSShW</pre><pre>tl9_ tgSSh</pre><pre>SSSSh0</pre><pre>t'SShl</pre><pre>u$SShe</pre><pre>@ SSHPWj</pre><pre>FTCP</pre><pre>u.Ph$</pre><pre>tAHt.HHt</pre><pre><SShG><pre>FtPW</pre><pre>SSh@B</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>1.2.5</pre><pre>%s.zl</pre><pre>avgnt.exe</pre><pre>avgwdsvc.exe</pre><pre>AVGIDSAgent.exe</pre><pre>ccsvchst.exe</pre><pre>AvastUI.exe</pre><pre>mcagent.exe</pre><pre>ldr.ini</pre><pre>chrome.exe</pre><pre>iexplore.exe</pre><pre>http://google.com</pre><pre>http://%s</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>win32msmsgs.exe</pre><pre>win32itunes.exe</pre><pre>win32java.exe</pre><pre>win32wmplayer.exe</pre><pre>win32photoshop.exe</pre><pre>win32outlook.exe</pre><pre>win32excel.exe</pre><pre>win32winword.exe</pre><pre>win32safari.exe</pre><pre>win32firefox.exe</pre><pre>win32opera.exe</pre><pre>win32iexplore.exe</pre><pre>java.exe</pre><pre>drweb</pre><pre>http://%s/r.php?ver=14&id=%s&hwid=%s&p=%d&os=%s</pre><pre>9992665263</pre><pre>%s (%s:%d)</pre><pre>c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>%s %s%s</pre><pre>windows\</pre><pre>chargeyourorder.com</pre><pre>ordersonlinenow.com</pre><pre>mediaforclouds.com</pre><pre>ourbigvideostore.com</pre><pre>%d_%d_%d</pre><pre>%d_%d</pre><pre>%s\%s</pre><pre>sysl32.dll</pre><pre>TH_%d</pre><pre>http://photodatastore.com/sp.php?adv=%s&who=S</pre><pre>: Support</pre><pre>&key=</pre><pre>License key validated.</pre><pre>http://%s/ex2.php</pre><pre>%s "%s" %s</pre><pre>o@cmd.exe /c "%s"</pre><pre>del "%s"</pre><pre>if exist "%s" goto a</pre><pre>\oc%d_w32.bat</pre><pre>http://</pre><pre>HTTP/1.1 200 OK</pre><pre>HTTP/1.0 200 OK</pre><pre>POST %s HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)</pre><pre>Content-Length: %u</pre><pre>GET %s HTTP/1.1</pre><pre>User-Agent: mozilla/2.0</pre><pre>spooler.exe</pre><pre>server.exe</pre><pre>winlogon.exe</pre><pre>un_inst.exe</pre><pre>IEUser.exe</pre><pre>SearchProtocolHost.exe</pre><pre>DllHost.exe</pre><pre>csrss.exe</pre><pre>Windows has detected malicious programs running on your computer.</pre><pre>Click here to activate your Windows antivirus software</pre><pre>http://%s/sig/?id=%s&system=%s&hwid=%s&n=%s</pre><pre>%s|%s|%d</pre><pre>%d.%d.%d</pre><pre>9972665267</pre><pre>9972439689</pre><pre>9882676258</pre><pre>9859198478</pre><pre>9691962564</pre><pre>9378969331</pre><pre>9376471437</pre><pre>9285678582</pre><pre>9221581871</pre><pre>9217457527</pre><pre>9217234169</pre><pre>8874598414</pre><pre>8861321723</pre><pre>8857988267</pre><pre>8838996945</pre><pre>8593214778</pre><pre>8567493449</pre><pre>8558121691</pre><pre>8525752718</pre><pre>8367636975</pre><pre>8356392329</pre><pre>8355289195</pre><pre>8355259195</pre><pre>8196375436</pre><pre>8196345414</pre><pre>8135259195</pre><pre>8132856849</pre><pre>7885832169</pre><pre>7852676282</pre><pre>7715438456</pre><pre>7659421734</pre><pre>7614643697</pre><pre>7592174565</pre><pre>7414541691</pre><pre>7246526785</pre><pre>6899692327</pre><pre>6874821958</pre><pre>6641354156</pre><pre>6637321723</pre><pre>6613528235</pre><pre>6593439566</pre><pre>6526765122</pre><pre>6378962334</pre><pre>6376736918</pre><pre>6315563723</pre><pre>5956636198</pre><pre>5932169186</pre><pre>5919825316</pre><pre>5898714538</pre><pre>5688289871</pre><pre>5379885698</pre><pre>5268174898</pre><pre>5267873675</pre><pre>4723274453</pre><pre>4687259849</pre><pre>4655834325</pre><pre>4439154958</pre><pre>4414895278</pre><pre>4281328365</pre><pre>4268761565</pre><pre>4261996943</pre><pre>4261328365</pre><pre>4235528916</pre><pre>4179195823</pre><pre>4159763697</pre><pre>4146739331</pre><pre>3961218556</pre><pre>3945638233</pre><pre>3924394865</pre><pre>3899836863</pre><pre>3798826765</pre><pre>3787693326</pre><pre>3787625649</pre><pre>3766368952</pre><pre>3619747186</pre><pre>3554156516</pre><pre>3541567625</pre><pre>2961332892</pre><pre>2838763789</pre><pre>2833525916</pre><pre>2819969298</pre><pre>2698736776</pre><pre>2676258959</pre><pre>2621948916</pre><pre>2619969432</pre><pre>2356258973</pre><pre>2343258649</pre><pre>2294654156</pre><pre>2285876582</pre><pre>1961232582</pre><pre>1837663686</pre><pre>1835437232</pre><pre>1789847197</pre><pre>1579859198</pre><pre>1354156739</pre><pre>1225242171</pre><pre>1196121858</pre><pre>1186796371</pre><pre>1171249582</pre><pre>1148762586</pre><pre>svg.ini</pre><pre>software\Microsoft\Windows\CurrentVersion</pre><pre>{5A92A751-F926-4BB9-872E-BEC4A4CD571F}</pre><pre>%u.%u.%u.%u</pre><pre>CluAdmin.exe</pre><pre>setup.exe</pre><pre>wab.exe</pre><pre>paint.exe</pre><pre>pools.exe</pre><pre>user32.exe</pre><pre>explorer.exe</pre><pre>notepad.exe</pre><pre>wmplayer.exe</pre><pre>msimn.exe</pre><pre>iexplorer.exe</pre><pre>calc.exe</pre><pre>%s\%s.exe</pre><pre>%s%s.ico</pre><pre>comctl32.dll</pre><pre>5_%d_%d_%d</pre><pre>4_%d_%d_%d</pre><pre>CSupportDlg</pre><pre>http://jn%s.%s/forum.cgi</pre><pre>email=%s&message=%s</pre><pre>HKEY\LM</pre><pre>HKEY\CU</pre><pre>%s\%s.ico</pre><pre>DEL_%d</pre><pre>Defs39491.db</pre><pre>XXXXXXXXXX</pre><pre>[%d] %s</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\NetworkCards</pre><pre>user32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>Afx:%p:%x:%p:%p:%p</pre><pre>Afx:%p:%x</pre><pre>commctrl_DragListMsg</pre><pre>CCmdTarget</pre><pre>CNotSupportedException</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>KERNEL32.DLL</pre><pre>%s%s.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>lX-X-x-XX-XXXXXX</pre><pre>RegOpenKeyTransactedA</pre><pre>Advapi32.dll</pre><pre>RegCreateKeyTransactedA</pre><pre>RegDeleteKeyTransactedA</pre><pre>comdlg32.dll</pre><pre>shell32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp</pre><pre>mfcm100.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>RegDeleteKeyExA</pre><pre>lXXxXXXXXXXX</pre><pre>Shell32.dll</pre><pre>%s:%x:%x:%x:%x</pre><pre>kernel32.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>%sMFCToolBar-%d%x</pre><pre>%sMFCToolBar-%d</pre><pre>%sMFCToolBarParameters</pre><pre>TOOLBAR_RESETKEYBAORD</pre><pre>&%d %s</pre><pre>MFCLink_UrlPrefix</pre><pre>MFCLink_Url</pre><pre>ole32.dll</pre><pre>CMDITabProxyWnd</pre><pre>CMDIChildWndEx</pre><pre>CMDIFrameWndEx</pre><pre>KeyboardManager</pre><pre>MSG_CHECKEMPTYMINIFRAME</pre><pre>%sDockingManager-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp</pre><pre>%sPane-%d%x</pre><pre>%sPane-%d</pre><pre>%sBasePane-%d%x</pre><pre>%sBasePane-%d</pre><pre>windows</pre><pre>ShowCmd</pre><pre>%c%d%c%s</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp</pre><pre>Hex={X,X,X}</pre><pre>CMDIChildWnd</pre><pre>CMDIFrameWnd</pre><pre>CMDIClientAreaWnd</pre><pre>%sMDIClientArea-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp</pre><pre>%sMFCOutlookBar-%d%x</pre><pre>%sMFCOutlookBar-%d</pre><pre>%sDockablePaneAdapter-%d%x</pre><pre>%sDockablePaneAdapter-%d</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp</pre><pre>CMFCToolBarsKeyboardPropertyPage</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp</pre><pre>RGB(%d, %d, %d)</pre><pre>ENABLE_KEYS</pre><pre>KEYS_MENU</pre><pre>KEYS</pre><pre>%sMFCTasksPane-%d%x</pre><pre>%sMFCTasksPane-%d</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>F%D,3</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCException@@</pre><pre>.?AVCSupportDlg@@</pre><pre>.?AVCWEbEvents_Bill@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.?AVCCmdUI@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCOleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCArchiveException@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@</pre><pre>.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.PAVCFileException@@</pre><pre>.?AVCMFCToolBarCmdUI@@</pre><pre>.?AVCMDITabProxyWnd@@</pre><pre>.?AVCMDIChildWndEx@@</pre><pre>.?AVCMDIChildWnd@@</pre><pre>.?AVCMDIFrameWndEx@@</pre><pre>.?AVCMDIFrameWnd@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.?AVCMFCCmdUsageCount@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@</pre><pre>.?AVCMFCAcceleratorKey@@</pre><pre>.?AVCMFCColorBarCmdUI@@</pre><pre>.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@</pre><pre>.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@</pre><pre>.?AVCMDIClientAreaWnd@@</pre><pre>.?AVCMFCRibbonCmdUI@@</pre><pre>.?AVCMFCToolBarsKeyboardPropertyPage@@</pre><pre>.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@</pre><pre>.?AVCMFCRibbonKeyTip@@</pre><pre>.?AVCMFCTasksPaneToolBarCmdUI@@</pre><pre>.?AVCMFCAcceleratorKeyAssignCtrl@@</pre><pre>zcÁ</pre><pre>%Documents and Settings%\%current user%\Application Data\YIBrzONyx1v2b</pre><pre>%System%\exA1uvD2oFpHsJd.exe</pre><pre><:@87@:;?</pre><pre>:9=87@;9?</pre><pre>:9=87@87@</pre><pre>99?87@>:@</pre><pre>58@87@;9?</pre><pre>:7@7:?99?</pre><pre>:8>:7@96?</pre><pre>95@99?<8></pre><pre>7:?7:?:8></pre><pre><7@87@7:?</pre><pre>87@;9?87@</pre><pre>;9?87@99?</pre><pre>7:?99?88>;9?</pre><pre>:8>99?87@</pre><pre><7@99?7:?57?</pre><pre>68@;9?99?69></pre><pre>?8?:7@68@</pre><pre>99?69>87@87@;9?</pre><pre>69>99?87@</pre><pre>9:>:7@;9?</pre><pre>87@87@9:></pre><pre>87@87@<8></pre><pre>_^`99?69=</pre><pre>qV!.HS6(</pre><pre>;/%URTaMLe</pre><pre>?5.HGIJ;8</pre><pre>qW".FS5*</pre><pre>pP|O.xD</pre><pre>444888888888888</pre><pre>44@444<44</pre><pre>N.tND/</pre><pre>>.wA1u?/q>.s<*u8&|3"</pre><pre>&.DAWI<|</pre><pre>$.YK=</pre><pre>.&!#.87"</pre><pre>).@.= :$</pre><pre>*"=/:1="%</pre><pre>uF%xR-wU</pre><pre>?5.vhV</pre><pre>AgjL2.lii</pre><pre>hKN.zhf</pre><pre>333333333333</pre><pre>333333333</pre><pre>333333333333333</pre><pre>333333333333333333</pre><pre>.IZUUS{> 3a</pre><pre>ð-vF.}I-g@ .,* /</pre><pre>K1.hv</pre><pre>.ËBBBBBBBBBBBt\V</pre><pre>.ËBBBBBBBBBBBt\Vdr</pre><pre>1(#%1;:$</pre><pre>wO%fH&</pre><pre>O.FjZ</pre><pre>k.Kji</pre><pre>.pu!zl</pre><pre>.iuQ^</pre><pre>9S%CL</pre><pre>Z.pHh</pre><pre>%r9%s</pre><pre>v.Uo7</pre><pre>[n;e%d</pre><pre>,.dnN</pre><pre>%0uFjf</pre><pre>.Noi#</pre><pre>V-7w}</pre><pre>X.ov6</pre><pre>.eQR[</pre><pre>9f[</pre><pre>=dJ.YM</pre><pre>*.egK</pre><pre>@k..tNNm</pre><pre>V.jgo</pre><pre>%FPuU !^w\</pre><pre>e.rl;</pre><pre>4vi_ag.Be</pre><pre>.cg$:</pre><pre>%xT)W</pre><pre>.Bj7=</pre><pre>8=d%f</pre><pre>II.lVE</pre><pre>N}-.Sa4m</pre><pre>NJi%s</pre><pre>qL.ch</pre><pre>.Pu'a</pre><pre>&jf.lg</pre><pre>$7Z.gzc</pre><pre>Z.wjay</pre><pre>M.KS!</pre><pre>Y%uJgF></pre><pre>p.ZSy</pre><pre>p.VOy</pre><pre>%cP#S</pre><pre>i0_%}</pre><pre>Lc,%D</pre><pre>je.dc7^</pre><pre>.zEG#</pre><pre>p;%sp</pre><pre>Vz?.wJs</pre><pre>MsgC-"</pre><pre>UJ.KWEg1</pre><pre>w.Ls2</pre><pre>S9.aBS</pre><pre>y.wM_</pre><pre>:U.Qw</pre><pre>aúb</pre><pre>\#e.CF</pre><pre>.fg~la</pre><pre>j%S94</pre><pre>%x4}@0</pre><pre>.ak{{</pre><pre>@%u1I:KZ</pre><pre>g.gt#</pre><pre>.PSsQ?r</pre><pre>,H9\%xeb!</pre><pre>J.xn;,</pre><pre>B%9U1</pre><pre>Lv.sD&</pre><pre>@.zk-m4</pre><pre>v}c%uQ</pre><pre>#.VnC&</pre><pre>cl.rb</pre><pre>Un%x3;</pre><pre>,.el"</pre><pre>s8%u4</pre><pre>!.qEi</pre><pre>'%Ud@</pre><pre>.gI[b</pre><pre> Ih,Nl.Jh)Lh)</pre><pre>=;=9'!1'*!74.'8&;0</pre><pre>v.YeS2</pre><pre>eRSsH</pre><pre>GetCPInfo</pre><pre>GetWindowsDirectoryA</pre><pre>GetProcessHeap</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegFlushKey</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GetViewportExtEx</pre><pre>GetViewportOrgEx</pre><pre>GdiplusShutdown</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>GetKeyState</pre><pre>CreateDialogIndirectParamA</pre><pre>EnumWindows</pre><pre>GetAsyncKeyState</pre><pre>GetKeyNameTextA</pre><pre>MapVirtualKeyA</pre><pre>keybd_event</pre><pre>MapVirtualKeyExA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayout</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>*!74.'8&;0</pre><pre>2r.qbi</pre><pre>KeyE</pre><pre>%dTR#</pre><pre>k.pc'</pre><pre>ADVAPI32.dll</pre><pre>COMCTL32.dll</pre><pre>COMDLG32.dll</pre><pre>GDI32.dll</pre><pre>gdiplus.dll</pre><pre>IMM32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>MSIMG32.dll</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>oledlg.dll</pre><pre>PSAPI.DLL</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>WINMM.dll</pre><pre>WINSPOOL.DRV</pre><pre>WSOCK32.dll</pre><pre>Dr.Web</pre><pre>Windows has found spyware infection on your computer!</pre><pre>Click here to update your Windows antivirus software</pre><pre>A</pre><pre><serialkey></serialkey></pre><pre>accKeyboardShortcut</pre><pre>hhctrl.ocx</pre><pre>SHELL32.DLL</pre><pre>dwmapi.dll</pre><pre>UxTheme.dll</pre><pre>USER32.DLL</pre><pre>PRICHED20.DLL</pre><pre>ekernel32.dll</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>svchost.exe</pre><pre>Send Error Report</pre><pre>We have created an error report that you can send to us. We will treat</pre><pre>this report as confidential and anonymous.</pre><pre>To see what data this error report contains, click here.</pre><pre>svchost.exe was replaced with unauthorized program.</pre><pre>Windows Security Alert</pre><pre>Windows Firewall has blocked this program from accepting connections from the Internet or a network. If you recognize the program or trust the publisher, you can ublock it.</pre><pre>Windows Security Center</pre><pre>All Files (*.*)</pre><pre>No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.</pre><pre>Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.</pre><pre>Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.</pre><pre>#Unable to load mail system support.</pre><pre>Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents</pre><pre>%s [Recovered]</pre><pre>3.0.0.2</pre></SShG></pre></SShG>