Trojan.Win32.Agent.aec (Kaspersky), Virus.Win32.Sality.ah (v) (VIPRE), Trojan.Win32.Agent!IK (Emsisoft), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c600ea14d1f96586cd099996c09e6d9d
SHA1: a920b7332069e7760abfb2b312d100be315b118c
SHA256: 4e20fc3fb8f60ba732608f7875138178f224d34cf75272db48700f76516af5b8
SSDeep: 1536:3KtrYE48w7vG1hvcS1990x6PlKVskWMWPkLlPLIR7Z8VcwRMtQ9is:UrYd8wihh1TxIpTvBe8TatQ5
Size: 86528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ApPure
Created at: 2006-12-13 15:15:04
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
WINMINE.EXE:2192
WINMINE.EXE:2336
netsh.exe:952
NOTEPAD.EXE:2476
NOTEPAD.EXE:2444
NOTEPAD.EXE:1972
NOTEPAD.EXE:2304
NOTEPAD.EXE:2396
NOTEPAD.EXE:2412
NOTEPAD.EXE:2364
%original file name%.exe:1908
The Virus injects its code into the following process(es):
soundmix.exe:1932
File activity
The process %original file name%.exe:1908 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%System%\soundmix.exe (601 bytes)
The process soundmix.exe:1932 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (72 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%System%\dllcache\zipexr.dll (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winhgqyk.exe (601 bytes)
%System%\drivers\etc\hosts.tmp (1592 bytes)
The Virus deletes the following file(s):
C:\73064 (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winhgqyk.exe (0 bytes)
Registry activity
The process WINMINE.EXE:2192 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 A0 5A 6B D6 65 C3 0D 84 84 C3 F5 4B CC 47 D0"
The process WINMINE.EXE:2336 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D D7 9B DF D5 00 A7 82 39 9E C3 2B 49 7A 40 B8"
The process netsh.exe:952 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 3E 15 E8 69 30 22 F2 59 32 11 66 EB DC AF 3E"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process NOTEPAD.EXE:2476 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 C4 A7 14 93 8E 32 1D F4 70 B8 D9 1E F9 67 49"
The process NOTEPAD.EXE:2444 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 AB F4 9D B7 C9 D3 73 1D D4 03 52 3F F4 58 9D"
The process NOTEPAD.EXE:1972 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 08 2A 2F 47 4F BB 31 9A 72 27 28 87 A3 CB 47"
The process NOTEPAD.EXE:2304 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 03 1B 21 C3 C4 CF 40 AB 5A AA EF AF 7F 75 FF"
The process NOTEPAD.EXE:2396 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 FF CC C4 01 5D 57 85 BA 22 6A F0 F5 5E D0 05"
The process NOTEPAD.EXE:2412 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 32 00 6A 6C C9 40 0B D8 1A 4C EB B2 A9 52 FE"
The process NOTEPAD.EXE:2364 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B6 23 84 4C 2E 29 9D 1A 77 1C AA 4F 0D 46 D3"
The process %original file name%.exe:1908 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
"UacDisableNotify" = "1"
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The process soundmix.exe:1932 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\adm914]
"a2_267" = "1914152784"
"a2_266" = "1906990715"
"a2_265" = "1899821761"
"a2_264" = "1892651226"
"a2_263" = "1885471839"
"a1_241" = "3207628569"
"a2_261" = "1871147823"
"a2_260" = "1863968298"
"a2_269" = "1928490789"
"a2_268" = "1921320468"
"a3_158" = "1115724279"
"a3_159" = "1123168790"
"a2_226" = "1620215017"
"a3_150" = "1092336383"
"a3_151" = "1099259678"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a3_156" = "1135231285"
"a3_157" = "1108731220"
"a2_15" = "107541614"
"a2_14" = "100362416"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\adm914]
"a2_16" = "114710516"
"a2_11" = "78858863"
"a2_10" = "71693474"
"a2_13" = "93192777"
"a2_12" = "86026192"
"a2_292" = "2093379632"
"a3_288" = "2048100105"
"a2_290" = "2079039523"
"a3_203" = "1472066242"
"a2_19" = "136212410"
"a2_18" = "129044508"
"a2_294" = "2107725872"
"a3_289" = "2055027624"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\adm914]
"a1_219" = "4278561193"
"a3_92" = "643004661"
"a1_301" = "1140227447"
"a4_237" = "1699081677"
"a3_93" = "649993492"
"a2_111" = "795774989"
"a3_129" = "907869896"
"a2_110" = "788610380"
"a1_296" = "140233829"
"a2_113" = "810112937"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a2_114" = "817275406"
"a2_230" = "1648899848"
"a3_128" = "934369961"
"a2_117" = "838793437"
"a2_116" = "831613988"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a4_186" = "1333456506"
"a4_187" = "1340625627"
"a4_180" = "1290441780"
"a3_98" = "685967115"
"a1_129" = "2985281589"
"a2_118" = "845960742"
"a1_127" = "3196395334"
"a1_126" = "166480359"
"a1_125" = "3719098392"
"a3_99" = "726580138"
"a1_123" = "3135182018"
"a1_122" = "2641452643"
"a1_121" = "1344952167"
"a1_120" = "2809991222"
"a1_291" = "1415014426"
"a2_225" = "1613049148"
"a1_262" = "592972315"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a4_117" = "838787157"
"a4_116" = "831618036"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a2_160" = "1147056740"
"a2_161" = "1154220135"
"a2_162" = "1161400890"
"a2_163" = "1168568799"
"a2_164" = "1175738298"
"a2_165" = "1182903117"
"a2_166" = "1190070466"
"a2_167" = "1197269247"
"a2_168" = "1204407742"
"a2_169" = "1211584917"
"a1_216" = "3149299599"
"a1_238" = "1271703815"
"a2_17" = "121877695"
"a2_299" = "2143562612"
"a1_98" = "4081310847"
"a1_99" = "545374928"
"a1_94" = "1513945031"
"a1_95" = "3432174506"
"a1_96" = "884104247"
"a1_97" = "776355196"
"a1_90" = "2367336274"
"a1_91" = "2832329515"
"a1_92" = "2755597332"
"a1_93" = "2271132271"
"a1_21" = "2105252809"
"a1_20" = "4273194817"
"a1_23" = "2400218485"
"a1_22" = "2464251422"
"a1_25" = "2094007102"
"a1_24" = "460439757"
"a1_27" = "894527614"
"a1_26" = "3105283240"
"a1_29" = "1314565534"
"a1_28" = "3850481105"
"a3_279" = "1983582110"
"a3_278" = "2009623423"
"a1_252" = "1945130408"
"a4_196" = "1405147716"
"a2_293" = "2100557983"
"a2_234" = "1677578738"
"a1_138" = "582805347"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\adm914]
"a1_139" = "1780216562"
"a2_304" = "2179408000"
"a2_305" = "2186576929"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a2_300" = "2150741518"
"a2_258" = "1849638078"
"a2_302" = "2165076982"
"a2_303" = "2172245648"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_114" = "834001179"
"a3_115" = "807894458"
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_110" = "771902343"
"a3_111" = "778955814"
"a3_112" = "785940569"
"a3_113" = "826942712"
"a4_243" = "1742096403"
"a4_242" = "1734927282"
"a4_241" = "1727758161"
"a4_240" = "1720589040"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a4_245" = "1756434645"
"a4_244" = "1749265524"
"a3_226" = "1636956043"
"a1_213" = "1176674796"
"a4_238" = "1706250798"
"a3_227" = "1610836010"
"a4_236" = "1691912556"
"a1_130" = "1227316250"
"a4_234" = "1677574314"
"a2_190" = "1362125197"
"a4_232" = "1663236072"
"a3_224" = "1588903625"
"a4_230" = "1648897830"
"a1_131" = "548611318"
"a1_248" = "2205567415"
"a4_194" = "1390809474"
"a3_225" = "1629901672"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\adm914]
"a2_250" = "1792282842"
"a3_189" = "1371566516"
"a3_188" = "1364647189"
"a3_187" = "1324038386"
"a3_186" = "1316586579"
"a3_185" = "1309597744"
"a3_184" = "1336102801"
"a3_183" = "1328655230"
"a3_182" = "1288058591"
"a3_181" = "1280611004"
"a3_180" = "1307180573"
[HKCU\Software\adm914\695404737]
"35845605" = "282"
[HKCU\Software\adm914]
"a4_229" = "1641728709"
"a1_212" = "1155751449"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_33" = "236580993"
"a4_32" = "229411872"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKCU\Software\adm914]
"a1_251" = "2305314646"
"a1_158" = "1972107663"
"a3_37" = "248309804"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_94" = "690598327"
"a3_95" = "698045910"
"a2_68" = "487505795"
"a2_69" = "494673678"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a2_64" = "458821541"
"a2_65" = "465989143"
"a2_66" = "473167297"
"a2_67" = "480334825"
"a2_60" = "430152896"
"a2_61" = "437318743"
"a2_62" = "444488918"
"a2_63" = "451652094"
"a2_286" = "2050374890"
"a3_228" = "1617824845"
"a2_281" = "2014526136"
"a2_280" = "2007358176"
"a1_310" = "2466703160"
"a3_206" = "1493543975"
"a2_282" = "2021690350"
"a1_305" = "3398232781"
"a1_220" = "1938384896"
"a4_284" = "2036030364"
"a2_112" = "802944190"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914]
"a2_88" = "630887590"
"a4_260" = "1863971460"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_185" = "1326290905"
"a3_310" = "2239031135"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a1_170" = "922541361"
"a1_171" = "507605405"
"a1_172" = "3207119477"
"a1_173" = "2524603600"
"a1_174" = "165841075"
"a1_175" = "2999221646"
"a1_176" = "1903262694"
"a1_177" = "3264365151"
"a1_178" = "1385490475"
"a1_179" = "3227857024"
"a4_305" = "2186581905"
"a3_311" = "2246548478"
"a2_128" = "917645364"
"a2_129" = "924811464"
"a1_279" = "2256781294"
"a1_278" = "568864590"
"a2_124" = "888963122"
"a2_125" = "896144803"
"a2_126" = "903314960"
"a2_127" = "910482079"
"a2_120" = "860297832"
"a2_121" = "867462405"
"a2_122" = "874628950"
"a2_123" = "881799013"
"a4_140" = "1003676940"
"a4_141" = "1010846061"
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a4_144" = "1032353424"
"a4_145" = "1039522545"
"a4_146" = "1046691666"
"a4_147" = "1053860787"
"a4_148" = "1061029908"
"a4_149" = "1068199029"
"a4_235" = "1684743435"
"a3_231" = "1672935854"
"a3_230" = "1665877263"
"a3_233" = "1653814880"
"a3_232" = "1646370241"
"a1_69" = "731754079"
"a1_68" = "941100222"
"a1_218" = "1129193684"
"a3_236" = "1708909381"
"a1_65" = "2804048876"
"a1_64" = "1391028764"
"a1_67" = "2612567207"
"a1_66" = "681292746"
"a1_61" = "4257030708"
"a1_60" = "778706406"
"a1_63" = "686454938"
"a1_62" = "1614424872"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a2_95" = "681061348"
"a2_94" = "673892622"
"a2_97" = "695404192"
"a2_96" = "688238664"
"a2_91" = "652390581"
"a2_90" = "645225794"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a4_207" = "1484008047"
"a4_206" = "1476838926"
"a4_205" = "1469669805"
"a4_204" = "1462500684"
"a4_203" = "1455331563"
"a4_202" = "1448162442"
"a4_201" = "1440993321"
"a4_200" = "1433824200"
"a2_251" = "1799453881"
"a1_224" = "524948657"
"a1_240" = "2186834720"
"a1_194" = "2288717263"
"a4_209" = "1498346289"
"a4_208" = "1491177168"
"a3_305" = "2203581880"
"a3_304" = "2162448665"
"a3_307" = "2183924346"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\adm914]
"a3_301" = "2174512164"
"a1_226" = "3856201708"
"a3_303" = "2155521254"
"a3_302" = "2148466759"
"a4_218" = "1562868378"
"a1_227" = "1449467482"
"a2_98" = "702576091"
"a3_308" = "2191503005"
"a4_219" = "1570037499"
"a2_223" = "1598713694"
"a1_221" = "676776192"
"a2_222" = "1591542489"
"a2_221" = "1584378047"
"a1_287" = "1986380491"
"a2_274" = "1964341326"
"a3_84" = "585598461"
"a1_269" = "913636532"
"a2_220" = "1577211293"
"a2_270" = "1935655880"
"a2_271" = "1942837201"
"a2_272" = "1949992240"
"a2_273" = "1957174740"
"a1_185" = "512190050"
"a2_278" = "1993022897"
"a3_275" = "1954659866"
"a1_184" = "1289465840"
"a3_169" = "1228156448"
"a3_168" = "1187689857"
"a3_165" = "1199757484"
"a3_164" = "1192698893"
"a3_167" = "1180635502"
"a3_166" = "1206680783"
"a3_161" = "1171213096"
"a3_160" = "1163777673"
"a3_163" = "1151697898"
"a3_162" = "1144713035"
"a3_297" = "2146049696"
"a1_289" = "4268173526"
"a3_255" = "1844811446"
"a3_296" = "2139060737"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKCU\Software\adm914]
"a3_271" = "1926113414"
"a3_52" = "389745053"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\adm914]
"a3_50" = "341766363"
"a3_51" = "348755322"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a2_20" = "143378977"
"a2_21" = "150545965"
"a2_22" = "157727843"
"a2_23" = "164896269"
"a2_24" = "172063621"
"a2_25" = "179231708"
"a2_26" = "186392880"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"
[HKCU\Software\adm914]
"a2_212" = "1519858048"
"a3_291" = "2103079018"
"a2_213" = "1527026292"
"a3_277" = "2002712284"
"a3_290" = "2062081995"
"a2_210" = "1505513020"
"a1_263" = "428834555"
"a2_211" = "1512679473"
"a2_216" = "1548526460"
"a4_198" = "1419485958"
"a2_217" = "1555697589"
"a2_214" = "1534196750"
"a3_276" = "1962103485"
"a3_190" = "1345525207"
"a2_215" = "1541358319"
"a3_262" = "1861734767"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a3_220" = "1593911669"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a1_2" = "1147964647"
"a1_3" = "369175827"
"a1_0" = "3432392762"
"a1_1" = "1313561096"
"a1_6" = "1444987664"
"a1_7" = "2129587444"
"a1_4" = "3854877565"
"a1_5" = "1008453933"
"a1_222" = "377497415"
"a1_8" = "4195230381"
"a1_9" = "2821984816"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a1_134" = "1105250196"
"a1_135" = "747141244"
"a1_136" = "1382615987"
"a1_137" = "849204380"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a1_132" = "994814160"
"a1_133" = "1632611627"
"a3_270" = "1918678119"
"a4_215" = "1541361015"
"a4_164" = "1175735844"
"a1_253" = "596359315"
"a3_260" = "1847236781"
"a1_303" = "2107579309"
"a1_302" = "2524754493"
"a3_148" = "1044210237"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a2_155" = "1111218722"
"a2_154" = "1104048430"
"a2_157" = "1125552563"
"a2_156" = "1118385716"
"a2_151" = "1082532087"
"a2_150" = "1075365118"
"a2_153" = "1096870023"
"a2_152" = "1089699894"
"a1_181" = "2235160872"
"a1_180" = "3190250224"
"a1_183" = "3672632590"
"a1_182" = "3745547951"
"a2_159" = "1139886152"
"a2_158" = "1132718238"
"a1_187" = "1577700965"
"a1_186" = "1517194804"
"a1_83" = "189128997"
"a1_82" = "771476038"
"a1_81" = "4121628025"
"a1_80" = "2995330327"
"a1_87" = "886211389"
"a1_86" = "3875611485"
"a1_85" = "1347586173"
"a1_84" = "2957281947"
"a3_274" = "1947600379"
"a1_89" = "3084247026"
"a1_88" = "2826153884"
"a1_275" = "488413671"
"a3_299" = "2126993250"
"a3_298" = "2119545539"
"a1_14" = "2290432919"
"a1_15" = "878832638"
"a1_16" = "1288795214"
"a1_17" = "1198099772"
"a1_10" = "3028266871"
"a1_11" = "1961750138"
"a1_12" = "2826292929"
"a1_13" = "2934584612"
"a1_273" = "3459847475"
"a1_18" = "1703037826"
"a1_19" = "174537543"
[HKCR\exefile\shell\open\command]
"(Default)" = "soundmix %1 %*"
[HKCU\Software\adm914]
"a1_272" = "2088965709"
"a3_268" = "1938194341"
"a3_269" = "1945179076"
"a1_271" = "238238178"
"a1_223" = "3092094212"
"a3_263" = "1902212494"
"a2_93" = "666725957"
"a3_144" = "1015749817"
"a3_266" = "1890133731"
"a3_267" = "1930746626"
"a3_264" = "1909255713"
"a3_265" = "1883210304"
"a4_210" = "1505515410"
"a1_292" = "4131715069"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a4_258" = "1849633218"
"a4_259" = "1856802339"
"a2_232" = "1663231410"
"a1_242" = "3518961382"
"a2_92" = "659555672"
"a4_251" = "1799449371"
"a4_252" = "1806618492"
"a4_253" = "1813787613"
"a4_254" = "1820956734"
"a4_255" = "1828125855"
"a1_189" = "3368644306"
"a4_257" = "1842464097"
"a1_246" = "3117780350"
"a3_261" = "1854160076"
"a2_227" = "1627396625"
"a1_247" = "1610267970"
"a3_240" = "1737322713"
"a1_244" = "3024194231"
"a1_245" = "1972727942"
"a3_198" = "1436076335"
"a3_199" = "1409969486"
"a3_194" = "1407548331"
"a3_195" = "1380982730"
"a3_196" = "1388556397"
"a3_197" = "1429034124"
"a1_188" = "3457618030"
"a3_191" = "1352568438"
"a3_192" = "1393042153"
"a4_181" = "1297610901"
"a3_135" = "950830350"
"a2_209" = "1498343089"
"a4_182" = "1304780022"
"a2_205" = "1469674783"
"a2_204" = "1462495944"
"a2_207" = "1484010781"
"a1_128" = "4236670553"
"a2_201" = "1440990265"
"a2_200" = "1433826570"
"a2_203" = "1455325971"
"a2_202" = "1448157838"
"a2_241" = "1727753484"
"a4_310" = "2222427510"
"a1_290" = "3888926172"
"a2_240" = "1720582788"
"a4_213" = "1527022773"
"a1_268" = "1825236703"
"a2_243" = "1742101403"
"a2_73" = "523341187"
"a2_72" = "516169346"
"a2_71" = "509005775"
"a2_70" = "501835793"
"a2_77" = "552021599"
"a2_76" = "544855394"
"a2_75" = "537686691"
"a2_74" = "530521640"
"a3_121" = "850861040"
"a3_120" = "843343697"
"a2_79" = "566357968"
"a2_78" = "559186958"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a3_127" = "927442486"
"a3_126" = "886312343"
"a2_284" = "2036026640"
"a1_230" = "1560256123"
"a3_235" = "1701334818"
"a2_246" = "1763600274"
"a3_234" = "1660856963"
"a2_224" = "1605879368"
"a3_237" = "1682343908"
"a2_191" = "1369306111"
"a4_233" = "1670405193"
"a1_255" = "664102228"
"a1_228" = "2154763568"
"a3_239" = "1730403494"
"a4_292" = "2093383332"
"a3_238" = "1689270279"
"a2_279" = "2000189079"
"a3_142" = "1034864615"
"a2_199" = "1426657730"
"a4_239" = "1713419919"
"a1_266" = "3884070559"
"a1_229" = "3830227603"
"a2_296" = "2122100996"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a1_145" = "1123319999"
"a1_144" = "1156580063"
"a1_147" = "3809333218"
"a1_146" = "1362177795"
"a1_141" = "831386287"
"a1_140" = "3909516886"
"a1_143" = "3067768416"
"a1_142" = "1344806035"
"a1_149" = "722614177"
"a1_148" = "1319543516"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_1" = "7169121"
"a4_0" = "0"
"a2_119" = "853128064"
"a2_99" = "709739748"
"a3_85" = "626081308"
"a1_267" = "2532077946"
"a1_260" = "2234693690"
"a1_261" = "3936325409"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a4_177" = "1268934417"
"a4_176" = "1261765296"
"a4_171" = "1225919691"
"a4_170" = "1218750570"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a1_304" = "1987871341"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914]
"a4_178" = "1276103538"
"a1_50" = "2445414844"
"a1_51" = "3848104552"
"a1_52" = "941617646"
"a1_53" = "234965974"
"a1_54" = "447379362"
"a1_55" = "1397357441"
"a1_56" = "1234296161"
"a1_57" = "2474295847"
"a1_58" = "2278797219"
"a1_59" = "3672963827"
"a2_193" = "1383645072"
"a2_195" = "1397973026"
"a3_229" = "1624875244"
"a1_254" = "285863015"
"a1_311" = "165927054"
"a1_312" = "1899724641"
"a2_192" = "1376473628"
"a3_47" = "353765350"
"a2_188" = "1347788984"
"a2_189" = "1354960345"
"a2_186" = "1333460951"
"a2_187" = "1340633793"
"a2_184" = "1319121027"
"a3_46" = "313221959"
"a2_182" = "1304774784"
"a2_183" = "1311953759"
"a2_180" = "1290437617"
"a2_181" = "1297605035"
"a4_214" = "1534191894"
"a2_37" = "265262217"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a2_9" = "64525028"
"a2_8" = "57357957"
"a4_212" = "1519853652"
"a3_48" = "360822809"
"a2_5" = "35840104"
"a2_4" = "28673033"
"a2_7" = "50178858"
"a2_6" = "43012043"
"a2_1" = "7172588"
"a2_0" = "5517"
"a2_3" = "21510318"
"a2_2" = "14343503"
"a3_253" = "1830771188"
"a3_252" = "1789764949"
"a3_251" = "1782710578"
"a3_250" = "1809280147"
"a3_257" = "1825746760"
"a3_256" = "1818692393"
"a3_254" = "1837822487"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914]
"a3_259" = "1873798154"
"a3_258" = "1866220523"
"a1_300" = "232250874"
"a4_289" = "2071875969"
"a4_288" = "2064706848"
"a4_287" = "2057537727"
"a4_286" = "2050368606"
"a2_197" = "1412309463"
"a2_198" = "1419489462"
"a4_283" = "2028861243"
"a4_282" = "2021692122"
"a4_281" = "2014523001"
"a4_280" = "2007353880"
"a1_233" = "4070407412"
"a1_232" = "1527930429"
"a1_225" = "2274210319"
"a1_231" = "1220800927"
"a1_307" = "3409256966"
"a3_222" = "1608410679"
"a3_172" = "1216092933"
"a3_173" = "1223671716"
"a3_170" = "1235731011"
"a3_171" = "1209100002"
"a3_176" = "1245079705"
"a3_177" = "1252068664"
"a3_174" = "1264145351"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\adm914]
"a2_196" = "1405144284"
"a1_237" = "1531582180"
"a3_178" = "1292673371"
"a3_179" = "1300121082"
"a2_245" = "1756431449"
"a2_244" = "1749266779"
"a2_247" = "1770766493"
"a1_236" = "1458879697"
"a1_235" = "2016498244"
"a1_234" = "158183909"
"a1_306" = "3689627047"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a2_39" = "279600335"
"a2_38" = "272430938"
"a3_49" = "368270520"
"a2_36" = "258081946"
"a2_35" = "250913093"
"a2_34" = "243745946"
"a2_33" = "236580851"
"a2_32" = "229412876"
"a2_31" = "222245183"
"a2_30" = "215080590"
"a4_59" = "422978139"
"a4_58" = "415809018"
"a2_235" = "1684749855"
"a4_53" = "379963413"
"a4_52" = "372794292"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a1_295" = "1446431625"
"a3_306" = "2210566619"
"a2_89" = "638057617"
"a3_53" = "396796476"
"a3_241" = "1744311672"
"a1_265" = "3092806960"
"a4_165" = "1182904965"
"a1_297" = "1319889473"
"a3_300" = "2167589765"
"a2_48" = "344114955"
"a2_49" = "351284412"
"a2_42" = "301099999"
"a2_43" = "308267462"
"a2_40" = "286766527"
"a2_41" = "293929014"
"a2_46" = "329779196"
"a2_47" = "336950881"
"a2_44" = "315449076"
"a2_45" = "322614037"
"a2_115" = "824446747"
"a1_293" = "2774277661"
"a3_242" = "1718323611"
"a2_289" = "2071874169"
"a3_193" = "1400620808"
"a1_163" = "2710875790"
"a3_309" = "2231976764"
"a1_309" = "202883404"
"a4_179" = "1283272659"
"a1_101" = "2589031803"
"a1_100" = "1333321916"
"a1_103" = "3703653470"
"a1_102" = "3311448308"
"a1_105" = "3452064759"
"a1_104" = "3206272161"
"a1_107" = "2412547292"
"a1_106" = "3427121523"
"a1_109" = "573236889"
"a1_108" = "236436667"
"a2_208" = "1491181500"
"a3_223" = "1581849174"
"a1_298" = "3605467587"
"a3_295" = "2131608046"
"a4_131" = "939154851"
"a4_130" = "931985730"
"a4_133" = "953493093"
"a4_132" = "946323972"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_139" = "996507819"
"a4_138" = "989338698"
"a3_202" = "1465015971"
"a1_215" = "865784053"
"a1_214" = "1271444162"
"a1_217" = "2720900964"
"a2_206" = "1476842310"
"a1_211" = "3414880166"
"a1_210" = "3464847810"
"a1_198" = "684510806"
"a1_199" = "2782067327"
"a1_196" = "3893699994"
"a1_197" = "3030410395"
"a1_154" = "936872451"
"a1_195" = "3978116759"
"a1_192" = "1330717846"
"a1_193" = "2671936888"
"a1_190" = "803145642"
"a1_191" = "137545478"
"a3_284" = "2019045813"
"a3_285" = "2026624468"
"a2_148" = "1061035370"
"a2_149" = "1068203853"
"a3_280" = "1990631473"
"a3_281" = "2031109200"
"a3_282" = "2038692083"
"a3_283" = "2045680914"
"a2_142" = "1018016746"
"a2_143" = "1025182471"
"a2_140" = "1003682430"
"a2_141" = "1010851496"
"a2_146" = "1046685343"
"a2_147" = "1053864043"
"a2_144" = "1032351585"
"a2_145" = "1039518926"
"a1_308" = "1644449786"
"a3_273" = "1974165848"
"a2_231" = "1656063604"
"a2_248" = "1777935726"
"a3_272" = "1966722361"
"a1_256" = "1582762838"
"a4_250" = "1792280250"
"a2_297" = "2129224489"
"a1_209" = "940869989"
"a3_219" = "1553446098"
"a3_218" = "1545867443"
"a3_217" = "1572437008"
"a3_216" = "1565514737"
"a3_215" = "1524377438"
"a3_214" = "1517454143"
"a3_213" = "1510469276"
"a3_212" = "1536445053"
"a3_211" = "1529532890"
"a3_210" = "1488928187"
"a2_275" = "1971505985"
"a3_247" = "1753789374"
"a2_285" = "2043193786"
"a1_202" = "3383279939"
"a2_287" = "2057539769"
"a2_277" = "1985840542"
"a4_269" = "1928493549"
"a4_268" = "1921324428"
"a2_283" = "2028855808"
"a1_203" = "3339825842"
"a4_265" = "1899817065"
"a4_264" = "1892647944"
"a4_267" = "1914155307"
"a4_266" = "1906986186"
"a4_261" = "1871140581"
"a1_200" = "3211756433"
"a4_263" = "1885478823"
"a4_262" = "1878309702"
"a1_201" = "1690744692"
"a3_221" = "1600966036"
"a4_311" = "2229596631"
"a1_206" = "1252292435"
"a4_312" = "2236765752"
"a1_207" = "4125860129"
"a1_282" = "3053724260"
"a1_283" = "1973590768"
"a1_280" = "3840305509"
"a1_281" = "4220937229"
"a1_286" = "1221622312"
"a1_204" = "3785061394"
"a1_284" = "1545060094"
"a1_285" = "3801187136"
"a1_288" = "2683709301"
"a1_205" = "3913682277"
"a2_194" = "1390817522"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a2_218" = "1562865170"
"a2_219" = "1570032604"
"a3_87" = "607024862"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_149" = "1051199068"
"a3_86" = "633131711"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914]
"a3_143" = "1008236550"
"a3_81" = "597665944"
"a3_141" = "1027810116"
"a3_140" = "986812197"
"a3_147" = "1070844314"
"a3_146" = "1063277947"
"a3_145" = "1022800088"
"a3_80" = "590099577"
"a1_155" = "463359973"
"a4_197" = "1412316837"
"a2_295" = "2114895063"
"a3_83" = "578085210"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a3_136" = "991836577"
"a3_137" = "998890944"
"a3_134" = "943841519"
"a3_82" = "571034939"
"a3_132" = "962897965"
"a3_133" = "970345548"
"a3_130" = "915379051"
"a3_131" = "922302346"
"a3_205" = "1452936068"
"a1_299" = "1318323483"
"a1_159" = "1443509626"
"a4_193" = "1383640353"
"a2_262" = "1878306190"
"a3_123" = "898388146"
"a4_192" = "1376471232"
"a3_122" = "891468819"
"a4_191" = "1369302111"
"a4_199" = "1426655079"
"a3_125" = "879323508"
"a4_190" = "1362132990"
"a2_259" = "1856803515"
"a1_264" = "599216603"
"a3_124" = "905966805"
"a1_259" = "1471234279"
"a2_307" = "2200925813"
"a2_276" = "1978672132"
"a1_258" = "108849555"
"a2_288" = "2064709947"
"a2_301" = "2157909461"
"a4_256" = "1835294976"
[HKCU\Software\adm914\695404737]
"43014726" = "0700687474703A2F2F6161726D736F6C7574696F6E732E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F616C69736F6E6A616D65736F6E70686F746F732E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6D616365646F6E69612E6D79312E72752F6D61696E682E67696600687474703A2F2F656C617377616E792E636F6D2F6C6F676F732E67696600687474703A2F2F7777772E62656C6573636979697A2E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F64657369676E64656E6E2E636F6D2F696D67732F6D61696E662E67696600687474703A2F2F646976657267656E74696E666F736F66742E636F6D2F696D616765732F6C6F676F732E676966"
[HKCU\Software\adm914]
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a3_208" = "1508041977"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_211" = "1512684531"
"a2_291" = "2086208225"
"a2_298" = "2136395170"
"a2_308" = "2208096638"
"a2_309" = "2215264042"
"a2_106" = "759924618"
"a2_107" = "767094083"
"a2_104" = "745593254"
"a2_105" = "752762747"
"a2_102" = "731244238"
"a2_103" = "738424413"
"a2_100" = "716906588"
"a2_101" = "724077997"
"a1_152" = "2967401422"
"a1_153" = "1014245937"
"a1_150" = "3894125450"
"a1_151" = "1818249067"
"a1_156" = "2441475618"
"a1_157" = "3214649769"
"a2_108" = "774258788"
"a2_109" = "781430421"
"a3_207" = "1500987462"
"a1_277" = "4194831271"
"a3_200" = "1416954337"
"a4_249" = "1785111129"
"a3_201" = "1424013824"
"a1_47" = "2449282969"
"a1_46" = "4191856213"
"a1_45" = "553522768"
"a1_44" = "1005423860"
"a1_43" = "1314272774"
"a1_42" = "3761009906"
"a1_41" = "702815708"
"a1_40" = "2509512309"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_160" = "1147059360"
"a4_161" = "1154228481"
"a4_166" = "1190074086"
"a4_167" = "1197243207"
"a1_49" = "3841203912"
"a1_48" = "3546313037"
"a2_173" = "1240254740"
"a2_172" = "1233086624"
"a2_171" = "1225923082"
"a2_170" = "1218742279"
"a2_177" = "1268938169"
"a2_176" = "1261770101"
"a2_175" = "1254588782"
"a2_174" = "1247423277"
"a2_179" = "1283275671"
"a2_178" = "1276108194"
"a2_233" = "1670400370"
"a2_242" = "1734932235"
"a1_32" = "4269701534"
"a2_28" = "200729694"
"a1_30" = "27769634"
"a1_31" = "1941123751"
"a1_36" = "2072048617"
"a1_37" = "3133558352"
"a1_34" = "495973791"
"a2_29" = "207900435"
"a3_248" = "1761236945"
"a4_247" = "1770772887"
"a1_38" = "2318946346"
"a1_39" = "2749741460"
"a4_168" = "1204412328"
"a4_246" = "1763603766"
"a2_86" = "616541674"
"a4_169" = "1211581449"
"a4_298" = "2136398058"
"a4_299" = "2143567179"
"a2_87" = "623708620"
"a4_294" = "2107721574"
"a4_295" = "2114890695"
"a4_296" = "2122059816"
"a4_297" = "2129228937"
"a4_290" = "2079045090"
"a4_291" = "2086214211"
"a1_274" = "1781966191"
"a4_293" = "2100552453"
"a1_243" = "912863559"
"a2_312" = "2236763916"
"a2_311" = "2229594671"
"a2_310" = "2222429953"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a2_256" = "1835300281"
"a2_257" = "1842470723"
"a2_254" = "1820954619"
"a2_255" = "1828119121"
"a2_252" = "1806625462"
"a3_58" = "432789459"
"a3_109" = "798021476"
"a3_108" = "790966981"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 81 9B 4C 7C B9 7F 74 11 02 6A 4B 30 34 C3 46"
[HKCU\Software\adm914]
"a4_228" = "1634559588"
"a3_59" = "406145138"
"a4_273" = "1957170033"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a4_227" = "1627390467"
"a4_226" = "1620221346"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_70" = "485103791"
"a3_71" = "525712590"
"a3_72" = "533156193"
"a3_73" = "506656128"
"a2_27" = "193560734"
"a3_78" = "542637991"
"a3_79" = "549622726"
"a4_277" = "1985846517"
"a4_195" = "1397978595"
"a2_229" = "1641731549"
"a2_228" = "1634565691"
"a4_274" = "1964339154"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_231" = "1656066951"
"a3_175" = "1271198822"
"a2_253" = "1813785563"
"a2_59" = "422983649"
"a2_58" = "415804203"
"a4_279" = "2000184759"
"a2_51" = "365620444"
"a2_50" = "358449205"
"a2_53" = "379967970"
"a2_52" = "372797701"
"a2_55" = "394298902"
"a2_54" = "387135582"
"a2_57" = "408636704"
"a2_56" = "401468410"
"a1_294" = "2520594217"
"a1_270" = "3427565854"
"a4_183" = "1311949143"
"a4_285" = "2043199485"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a1_276" = "988882918"
"a3_292" = "2110067853"
"a4_248" = "1777942008"
"a2_306" = "2193747662"
"a3_312" = "2219916305"
"a1_116" = "3386586157"
"a1_117" = "2930696707"
"a1_114" = "2442174315"
"a1_115" = "1483629775"
"a1_112" = "154322100"
"a1_113" = "1799834479"
"a1_110" = "2844460259"
"a1_111" = "874274251"
[HKCU\Software\adm914\695404737]
"50183847" = "023D299E8D1357465E745092C1BDD4052AEBF735B12D160C35B8AE52B088252D364D202D3D3C6DB18DB7FB62F203711FF1E448ED6A07639E68181A3CBC46ADA8DA5E3D73C26419AF8497522F705B6296FB37BB6A61883CB2FED8CE1A4D8F928A093DEE541F075574189661D12D75BA2E1D4D33572CB69E22120FE186A99276E3"
[HKCU\Software\adm914]
"a1_118" = "3726442181"
"a1_119" = "3535656011"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a4_120" = "860294520"
"a4_121" = "867463641"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\adm914]
"a1_257" = "3337600052"
"a4_128" = "917647488"
"a4_129" = "924816609"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a1_162" = "3395745342"
"a1_161" = "821612885"
"a1_160" = "2145130602"
"a1_167" = "3345340446"
"a1_166" = "1555713070"
"a1_165" = "1654169308"
"a1_164" = "2860537968"
"a4_302" = "2165074542"
"a1_169" = "698182992"
"a1_168" = "3608943100"
"a4_303" = "2172243663"
"a2_238" = "1706249440"
"a3_204" = "1445500773"
"a1_208" = "601084061"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\adm914]
"a2_139" = "996514259"
"a2_138" = "989331572"
"a2_137" = "982165218"
"a2_136" = "975009346"
"a2_135" = "967834853"
"a2_134" = "960666753"
"a2_133" = "953496190"
"a2_132" = "946300724"
"a2_131" = "939150003"
"a2_130" = "931982843"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_157" = "1125551997"
"a4_156" = "1118382876"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a4_159" = "1139890239"
"a4_158" = "1132721118"
"a2_239" = "1713416011"
[HKCU\Software\adm914\695404737]
"14338242" = "0"
"7169121" = "56"
[HKCU\Software\adm914]
"a3_209" = "1481480472"
"a1_78" = "2853027031"
"a1_79" = "1898357691"
"a1_76" = "1771966359"
"a1_77" = "3993078134"
"a1_74" = "3794852802"
"a1_75" = "1028803634"
"a1_72" = "2565784438"
"a1_73" = "4205360100"
"a1_70" = "3113701855"
"a1_71" = "3493396414"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_34" = "260325067"
"a3_35" = "267899754"
"a3_36" = "241268621"
"a1_33" = "4265787224"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a2_84" = "602207310"
"a2_85" = "609370543"
"a2_82" = "587870386"
"a2_83" = "595039114"
"a2_80" = "573525868"
"a2_81" = "580703162"
"a4_272" = "1950000912"
"a1_239" = "3027475915"
"a4_188" = "1347794748"
"a3_243" = "1725243962"
"a4_276" = "1978677396"
"a2_236" = "1691917993"
"a2_249" = "1785115977"
"a4_275" = "1971508275"
"a3_294" = "2091003215"
"a3_244" = "1765852765"
"a4_278" = "1993015638"
"a2_237" = "1699083837"
"a3_245" = "1773304572"
"a4_270" = "1935662670"
"a3_246" = "1746738975"
"a4_308" = "2208089268"
"a4_309" = "2215258389"
"a4_306" = "2193751026"
"a4_307" = "2200920147"
"a4_304" = "2179412784"
"a1_35" = "3336591131"
"a1_249" = "2768159012"
"a3_286" = "2067091063"
"a4_300" = "2150736300"
"a4_301" = "2157905421"
"a4_189" = "1354963869"
"a3_287" = "2074141334"
"a1_124" = "316845366"
"a3_293" = "2083555628"
"a3_249" = "1801832560"
"a1_250" = "1845200616"
"a4_271" = "1942831791"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%]
"soundmix.exe" = "%System%\soundmix.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Virus modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 858 bytes in size. The following strings are added to the hosts file listed below:
| 61.129.115.198 | www.xldd.com |
| 61.129.115.198 | www.ojiang.com |
| 61.129.115.198 | www.shuixian.net |
| 61.129.115.198 | www.xlarea.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WINMINE.EXE:2192
WINMINE.EXE:2336
netsh.exe:952
NOTEPAD.EXE:2476
NOTEPAD.EXE:2444
NOTEPAD.EXE:1972
NOTEPAD.EXE:2304
NOTEPAD.EXE:2396
NOTEPAD.EXE:2412
NOTEPAD.EXE:2364
%original file name%.exe:1908 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%System%\soundmix.exe (601 bytes)
%WinDir%\system.ini (72 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%System%\dllcache\zipexr.dll (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winhgqyk.exe (601 bytes)
%System%\drivers\etc\hosts.tmp (1592 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.