MD5: 03c6dfc07d2e9379a611c8a59e69019f
SHA1: 1165ae1c1f19f0e1291e85c963b5d11cc619da0f
SHA256: c84b8c4b76892018be5e9b544b4a6ff3e11043da2691d378f5704d4e83ccac13
SSDeep: 196608:ol9bX21jVc R 6gFBv4OD9KCWtAnuTEqmi8qt3z4:G9bmM1 tFVIF6nuTEqZdZz
Size: 10713752 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-16 23:46:51
Analyzed on: Windows7 SP1 32-bit

Summary:

Keylogger. Tracking software that records keyboard and/or mouse activity. Keyloggers typically either store the recorded keystrokes for later retrieval or they transmit them to the remote process or person employing the keylogger. While there are some legitimate uses of keyloggers, but they are often used maliciously by attackers to surreptitiously track behavior to perform unwanted or unauthorized actions included but not limited to identity theft.

Payload

Process activity

The Application creates the following process(es):

sgvrfy32.exe:3776
%original file name%.exe:3400
runonce.exe:848

The Application injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3400 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Windows\System32\cmpipsvr32.dll (5156 bytes)
C:\Windows\System32\winipdat\winipdll\svrltwp.dll (436 bytes)
C:\Windows\System32\vdorctrl.dll (990 bytes)
C:\Windows\System32\svrltmgr.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUUF6EB.tmp (89 bytes)
C:\Windows\System32\drivers\vdorctrl.sys (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUU7E.tmp (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSVxRsc.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUU8E.tmp (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_msfile75B0C260.inf (1 bytes)
C:\Windows\System32\cmproxfr.dll (274 bytes)
C:\Windows\System32\sgvrfy32.exe (1389 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUU7E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_msfile75B0C260.inf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUUF6EB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSVxRsc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUU8E.tmp (0 bytes)

The process runonce.exe:848 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)

Registry activity

The process sgvrfy32.exe:3776 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSVxRsc.dll, , \??\C:\Windows\system32\msocxusys.dll, , \??\c:\windows\system32\sgvrfy32.log,"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\System Event Dispatcher]
"TypesSupported" = "7"
"ParameterMessageFile" = "C:\Windows\system32\sgvrfy32.exe"
"EventMessageFile" = "C:\Windows\system32\sgvrfy32.exe"

[HKLM\System\CurrentControlSet\Services\System Event Dispatcher]
"Description" = "Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications."

The process %original file name%.exe:3400 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"

[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\Ddekuweb]
"FriendlyName" = "Hexofvga"

[HKLM\System\CurrentControlSet\services\vdorctrl]
"DebugFlags" = "0"

[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\Ddekuweb]
"LoadBehavior" = "3"

[HKCR\CLSID\{097CB2DB-6F65-4759-BEB8-214F26C19A6F}]
"(Default)" = "Hexofvga"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSVxRsc.dll,"

[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\Ddekuweb]
"FileName" = "C:\Windows\system32\svrltmgr.dll"

[HKCR\Ddekuweb\CLSID]
"(Default)" = "{097CB2DB-6F65-4759-BEB8-214F26C19A6F}"

[HKCR\CLSID\{097CB2DB-6F65-4759-BEB8-214F26C19A6F}\InprocServer32]
"(Default)" = "C:\Windows\system32\svrltmgr.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}\InprocServer32]
"(Default)" = "C:\Windows\system32\wzodlg32.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "100"

[HKCR\Ddekuweb]
"(Default)" = "Hexofvga"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\CLSID\{097CB2DB-6F65-4759-BEB8-214F26C19A6F}\ProgID]
"(Default)" = "Ddekuweb"

[HKLM\System\CurrentControlSet\services\vdorctrl]
"Start" = "0"

[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\Ddekuweb]
"CommandLineSafe" = "1"

[HKLM\System\CurrentControlSet\services\vdorctrl]
"Flags" = "1"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The Application deletes the following registry key(s):

[HKCR\CLSID\{Cb8DE863-0561-4ffd-9B86-5BA2E941BA52}]

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKLM\System\CurrentControlSet\services\vdorctrl]
"AltShell1"
"AltShell0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\System\CurrentControlSet\services\vdorctrl]
"AltShell"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebExtLocation"

"(Default)"

The Application disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCheckStub"

The process runonce.exe:848 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The Application disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
1b40d27c77f66d87f5f41801fbcaeab8
dd4caa50b80a4634708475c6c0332d5f

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Application connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSh4\8

SSh`b8

SSh,m8

SSh o8

SShpn8

SSh(p8

SShts8

X@SSh

SSh\^8

SSh<g9

tcPh

SSh\L:

SSh|L:

SSh,Y:

SSh$Z:

SSh8Z:

SShLZ:

SShdZ:

QA1Q0ZWQIE_%d

kernel32.dll

sys.dll

0x%p,%d,%d

CryptGetKeyParam

CryptImportKey

CryptExportKey

CryptDeriveKey

CryptGetUserKey

CryptDestroyKey

CryptGenKey

ADVAPI32.dll

CRYPT32.dll

::AquireKeyContainer

0x%p,%d,%d,%d

%d,%d,%d

0x%x,0x%p,%d,0x%p,0x%p,%d

0x%p,0x%p,%d

0x%p,%d

::ResetKeyBlob

::IsKeySpecValid

::DeriveSessionKey

0x%p,%d,0x%p,%d,%d,%d

Error encrypting data getting data size (0x%x) (%x)

Error encrypting data while encrypting (0x%x) (%x) (%d,%d,%d)

Data encrypted successfully (%d, %d, %d)

Error decrypting data while decrypting (0x%x) (%x) (%d,%d,%d)

Data decrypted successfully (%d, %d, %d)

GetSetupFileContent '%s' (0x%p,%d) (%d)

ProcessGetIPAddress (%d,%d) '%s - %s'

%d.%d.%d.%d

GetLogFileContent '%s' (0x%p,%d) (%d)

CheckSettingsImport1

CheckSettingsImport

msnwcfg.ini

0x%p, %d, 0x%p, %d

EnumKeys

ProcessGetSetupFileIni (%d,%d)

ProcessGetLogFile (%d,%d)

0x%p, %d, 0x%p

CommHost: Received RemoteCommand (%d) from computer %s SN %s MachineID %s

Failed to load communications library (%s).

Failed to load server object: %s

Started listening on port %d (%d).

%d-%X

spddd

Get-Crypt-Keys

DecompressData: Memory Sanity Check Failed, file %s

wsock32.dll

Unable to recover from corrupt file %s !

Corrupt file (%s, type %d) accessed for write access. Resetting.

CreateFileNewPassword2

CreateFileNewPassword

-%d.%s

Checking Pushed Data ended, total time: %d msecs

AddKeystrokesToList

ProcessKeystrokeFile1

ProcessKeystrokeFile

CheckUrlCategory

SendDataRecord: Returned no URL page category for (%s).

SendDataRecord: Returned URL page category: %d for (%s).

InitClient: Unable to load CommDLL (%s)

InitWFSClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient: Unable to create client object: %s

InitClient: Attempting to connect via IP address (%s, %d).

InitClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient Comm Path %s

DataPush::ProcessDisplayFile CreateFileNewPassword (%s,%s) failed!!!

DataPush::ProcessDisplayFile SendFile (%s,%s) failed!!!

DataPush::ProcessDisplayFile End, '%s'

Unable to delete file (%s) : %s

snapshotXX.%s

PushData: Failed to send all users to server - sent %d/%d records.

PushData: Unable to open User data file %s - error %d !!!

ProcessDF: Could not find any transactions for transmission (%s, %d, %d).

ProcessDF: Failed to send record to server (%s)

PushData: Failed to initialize client communications (Port %d on %s).

PushData: Session complete. Sent %d data transactions, %d snapshot files.

d-%x.sdf

PushData: Pushing, maximum %d seconds.

%*.*f

%s:u,%s,%s,%p,%p,%s,%s,(%s),%s

%m/%d/%Y %H:%M:%S

OutMsgThread

OutMsg

%s_%s

Global\%s

InitPushClient: CCS Host Initialize Success '%s' in %d secs on Port: %d (%d)

InitPushClient: CCS Host Initialize Failed '%s' in %d secs (WSAErr: %d) (%d)!!!

InitPushClient: CCS Host resolve '%s' (%d) %d.%d.%d.%d

InitPushClient: CCS Host gethostbyname Failed '%s' (WSAErr: %d)!!!

InitPushClient: Initializing UDP client to '%s' on Port: %d AltIP:(%d) '%s'

RunSetupExe

RunSetupExe End (%d)

RunSetupExe Start '%s' '%s'

ExecUninstallThread End '%s'

portCap

webinetipxp

webinetprg

webemap

webinetcheck

webinetipx

GetClientInfo '%s' (%d,%d,%d,%d,%d) ( %s )

GetRecordState '%s' (%d-%d-%d,%d,%d,%d,%d,%d,%d,%d,%d,%d)

GetClientOSInfo '%s' (%d) '%s' '%s' '%s'

%s\%s\%s

Windows NT

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%d,0x%p

InitCommClient: Unable to load CommDLL (%s)

InitCommClient: Unable to create client object: %s

InitCommClient: Attempting to connect via IP address (%s, %d).

InitCommClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitCommClient: Initializing TCP client using '%s'

PushOSInfo: Pushing info to server end '%s\%s' (%d,0x%p) (%d) (0x%p)

PushOSInfo: Pushing info to server start (%d,%d,%d)

ExecUpdateThread End '%s' - (%d,%d,%d)

ExecInstallThread End '%s' - (%d,%d,%d,%d) (%d,%d)

spsetup.exe

ExecUninstallRequest Abort '%s'

ExecUpdateRequest Abort '%s'

ExecInstallRequest Abort '%s'

ExecUpdateSyncThread End '%s' - (%d,%d)

%s#%s

PushRecordInfo: Pushing info to server end S(%d,%d) R(%d,%d,%d) (%d,%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server check S(%d,%d,%d,%d,%d) R(%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server message out of sync flush (%d, %d, %d, %d)

PushRecordInfo: Pushing info to server start (%d,%d,%d)

InfoPush: Initializing info push thread (%d)

Kernel32.dll

CKeywordDBLists::Init

Recorder::getKeywordsFromDB

<KWListReq listid="%d" serialnumber="%s"/>

<KWListNameReq serialnumber="%s"/>

CKeywordLists::getListUserFromDB

(KWS) getListUserFromDB: number of list:%d

(KWS) getListUserFromDB: Adding list:%d

<KWListUserReq user="%s" serialnumber="%s"/>

CKeywordLists::DisplayCacheListsInfo

(KWS) DisplayCacheListsInfo: List:%s ID:%d Version:%d

CKeywordLists::CacheKWList

(KWS)CacheKWList: %s

CKeywordLists::deleteCachedKWList

CKeywordLists::AddNewListFromDB

(KWS)AddCachedListFromDB: Update Keyword list:%s,ID:%d, Version:%d

(KWS) AddCachedListFromDB: Adding list:%s

(KWS)cacheKeywords:Done

Recorder::cacheKeywords

(KWS)cacheKeywords: SetKWListNames failed!

(KWS)cacheKeywords: Update Keyword version list

(KWS) cacheKeywords: Adding list:%s

(KWS)cacheKeywords: Adding list:%s

(KWS) cacheKeywords: list:%s version difference %d :%d

(KWS) cacheKeywords: Removing list:%s No longer in DB!

(KWS) cacheKeywords: Checking list: %s

(KWS) cacheKeywords: Checking %d lists

(KWS) cacheKeywords: Unable to get lists from DB

CKeywordLists

CKeywordLists::MakeKeywordInfo

CKeywordLists::FindKWListInUserList

KeywordMgr

KeywordMgrThread deleting objs

KeywordMgrThread

(KWS) Caching Keywords complete!!!

(KWS) Checking current list :%d with user list:%d

(KWS) Reload CurrUser:count:%d != User:count:%d

(KWS) Request recieved from :%s

(KWS) Request recieved size %d

(KWS) GetLastError error result:%d

(KWS) GetOverlappedResult bytes returned:%d

(KWS) Keyword server waiting...

(KWS) Unable to create named pipe: %s

\\.\PIPE\kwordlist

(KWS) Unable to create KeywordList Object

KeywordMgr::Initialize: Unable to create keyword loader event

(KWS) KeywordMgr::Initialize: Thread Started...

Global\SPxKeywordLoadNoChange

Global\SPxKeywordLoadComplete

KeywordMgr: Starting

KeywordListNames

KeywordUserLists

KeywordList

ERROR GetList: Keyword List:%s size:%d

ERROR GetList: Keyword List:%s ReadValue failed

GetList: Keyword List:%s Section:%s size:%d

GetList: Keyword List:%s Section:%s failed, no lists!

0x%x,%d,0x%x,0x%x

GetLicenseResponse returned a license handle, 0x%X

GetLicenseResponse returned a remote error status(0x%X): %s !!!

WebMailRevLevel

Connect - Unable to load CommDll library, %s

Connect - Unable to load client object: %s !

Connect to LicenseManager - Attempting to connect via IP address (%s, %d).

RequestLicense - Invalid response packet size, %u

%s %d

% 03dd

ddd d:d:d%s M m m .10s %-8.8s %-4.4s %-12.12s %-12.12s %-7.7s =>

default.log

X:

Advapi32.dll

%s_%d

0x%p,0x%p,%d,0x%p,%d,0x%p

Uninstall service name (%s) on (%s)

Uninstalling service...service only

Client Service Name (%s)

Client Service Path (%s)

%SystemRoot%\System32\

Client Install Machine Name (%s)

Start of Client Service code (%s)

msocxushell2.dll

%s -sa

Manual Start Service pending local (%d)

Stop service '%s' on '%s' (%d)

Service %sstopped '%s' on '%s'

Unable to QueryServiceStatus on '%S' err=%d

Unexpected service state %d after STOP command

Unable to send STOP command to '%S', err=%d

Unable to open handle to '%S', err=%d

Unable to open SCM stopping '%S', err=%d

StopService: %S

StopEXE

Failed to Stop EXE service (%d)

Service EXE Stopped (%d)

SendMsgService

Failed to send service control message: %d (%d) to '%s'

Service control messsage sent: %d to '%s'

%s -r%d

ServiceRestart: (%d)

WFAddServiceToCollection: ERROR %d

WFAddServiceToCollection: %d (%d)

WFRemoveServiceFromCollection: ERROR %d

WFRemoveServiceFromCollection: %d

WFDisableServiceInCollection: ERROR %d

WFDisableServiceInCollection: %d

0x%p,0x%p,%d,0x%p,%d

%s: invalid data type (%s)

%s: pData NULL

0x%p,0x%p,%d,0x%p,%d,0x%p,%d

ServiceBase::WriteServiceSetting(): error saving "%s"

0x%p,0x%p,%d,0x%p,%d,%d

0x%p,%d,0x%p,0x%p,0x%p,0x%p,%d

System\CurrentControlSet\Services\%s\Parameters

Service User Control Message: %u (%d)

TypesSupported

%d.%d.%d

Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications.

advapi32.dll

Client Service initializing. %s Version %s Build %d

regsmtp

useRunKey

PortFileName

lulport

URLFileName

KeystrokeFileName

CCSListenPort

mschostport

WFSListenPort

mswhostport

HostListenPort

DSListenPort

msdhostport

LMListenPort

mslhostport

mswebole

mswebcom

mswebrev

HtmlMsg

mswebext

SuspendMsg

AgentSettings.pBlockedProgramsList

AgentSettings.MaskProgramTitles

webinetmask

AgentSettings.ProgramInactivityTimeout

AgentSettings.CapturePrograms

AgentSettings.IncludeAOLCSURLS

webinturl

AgentSettings.CapturePOSTS

weblocposts

AgentSettings.CaptureAOLSE

weblocaolse

AgentSettings.CaptureXPCOM

weblocxpcom

AgentSettings.HTTPSPorts

AgentSettings.HTTPPorts

URLOldestData

URLMaxDataSize

AgentSettings.IncludeLocalURLS

webloccheck

AgentSettings.IncludeNetURLS

webnetcheck

AgentSettings.CaptureINetURLS

AgentSettings.MaskPasswords

AgentSettings.CaptureChars

KeyStrokesOldestData

KeyStrokesMaxDataSize

AgentSettings.CaptureKeyStrokes

AgentSettings.pPortPortsList

portPortLst

AgentSettings.PortPortsInclude

portPortInc

AgentSettings.pPortAppsList

portAppLst

AgentSettings.PortAppsInclude

portAppInc

PortInactivityFlush

portIAF

PortOldestData

portOld

PortMaxDataSize

portMDS

AgentSettings.CapturePort

AgentSettings.DriveFileTracking

AgentSettings.pDriveFiltersList

AgentSettings.DriveFiltersInclude

AgentSettings.Drives

AgentSettings.DriveDefault.Types

AgentSettings.DriveDefault.Disposition

AgentSettings.CaptureIMAPI

AgentSettings.CapturePrinters

AgentSettings.CaptureDrives

AgentSettings.FTPPorts

hlpvsbftp

AgentSettings.GnutellaPorts

AgentSettings.CaptureINetHTMLUploads

webcaphtml

AgentSettings.CaptureP2P

AgentSettings.StampChat

AgentSettings.CaptureSkype

AgentSettings.CaptureINetMSNExchange

AgentSettings.XMPPCaptureType

AgentSettings.YPagerCaptureType

AgentSettings.AOLProcessCaptureType

AgentSettings.OSCARCaptureType

AgentSettings.MSNCaptureType

AgentSettings.IRCCaptureType

AgentSettings.CaptureINetMySpace443

AgentSettings.CaptureINetOSCAR

AgentSettings.CaptureINetAimExpress

AgentSettings.XMPPPorts

AgentSettings.YPagerPorts

AgentSettings.OSCARPorts

AgentSettings.MSNPorts

AgentSettings.IRCPorts

AgentSettings.CaptureChat

AgentSettings.NotesPollingInterval

AgentSettings.NotesLastMsgRcvdTime

AgentSettings.LastMsgRcvdTime

AgentSettings.pEmailLastRecvTimeList

AgentSettings.pEmailFilterList

webfiltlst

AgentSettings.EmailFilterDefaultIgnore

webfiltdef

AgentSettings.UseAltMAPICapture

AgentSettings.IMAPPorts

AgentSettings.POPPorts

AgentSettings.SMTPPorts

AgentSettings.CaptureINetWebEMail

webineticmp

AgentSettings.MailAttachMaxDataSize

AgentSettings.CaptureAttachments

webinetudp

AgentSettings.CaptureAOLEMail

webinetxde

AgentSettings.CaptureINetIMAPEMail

webinettimap

AgentSettings.CaptureINetSMTPEMail

webinettcp

AgentSettings.MAPIInboxOnly

WebMapiBox

AgentSettings.CaptureNotesEMail

webnotes

AgentSettings.CaptureMAPIEMail

webmapi

AgentSettings.CaptureEMail

AgentSettings.pKeyEventList

portusb6

AgentSettings.SendVScroll

portusb5

AgentSettings.SendEnterEvent

portusb3

AgentSettings.SendMouseWheel

portusb4

AgentSettings.SendMouseRightClick

portusb7

AgentSettings.SendMouseDoubleClick

portusb2

AgentSettings.SendMouseClick

portusb1

SnapTriggerKeyEnter

portpnp3

portpnp4

portpnp5

portpnp2

portpnp1

SnapTriggerHttpPost

SnapTriggerUrl

AgentSettings.InactivityTimeout

AgentSettings.pBlockUsersList

AgentSettings.BlockUsers

AgentSettings.pSvrBlockUrlList

AgentSettings.SvrBlockRevertLocal

AgentSettings.SvrBlockEnable

AgentSettings.BlockIMsAccess

AgentSettings.BlockUrlsAccess

AgentSettings.pBlockIMsList

AgentSettings.pURLList

AgentSettings.BlockIMsList

AgentSettings.BlockUrlsList

AgentSettings.pBlockAllAppsList

AgentSettings.pBlockInPortsList

AgentSettings.pBlockOutPortsList

AgentSettings.BlockInternetAccessAll

AgentSettings.BlockInternetAccess

AgentSettings.pRecordURLList

AgentSettings.pUsersList

AgentSettings.pAppsList

AgentSettings.RecordUrlsList

AgentSettings.RecordUrls

AgentSettings.DenyListedUsers

AgentSettings.RecordUsers

AgentSettings.DenyListedApps

AgentSettings.RecordApps

SnapshotHotkey

ToggleRecordHotkey

HostLoginType

HostLoginPassword

HostLoginUsername

KeywordEmailSubjectStrPRogramWindowCaption

KeywordEmailSubjectStrProgramName

KeywordEmailSubjectStrP2P

KeywordEmailSubjectStrUrls

KeywordEmailSubjectStrKeyStrokes

KeywordEmailSubjectStrWebPages

KeywordEmailSubjectStrChat

KeywordEmailSubjectStrEmail

KeywordEmailFormatStrPRogramWindowCaption

KeywordEmailFormatStrProgramName

KeywordEmailFormatStrP2P

KeywordEmailFormatStrUrls

KeywordEmailFormatStrKeyStrokes

KeywordEmailFormatStrWebPages

KeywordEmailFormatStrChat

KeywordEmailFormatStrEmail

pKeywordsList

KeywordEmailTimeout

KeywordScreenshotPeriod

KeywordScreenshotRate

ScanWebPages

AgentSettings.CaptureINetWebPages

ScanUrls

ScanKeystrokes

TakeKeywordScreenshot

SendKeywordEmail

SendServerKeywords

CaptureKeywords

AgentSettings.DecoyFile

AgentSettings.ComAddinName

AgentSettings.ComAddinID

AgentSettings.MapiClsId

AgentSettings.BhoClsId

AgentSettings.SAFProcessorPath

AgentSettings.DynProcessorWOW64Path

AgentSettings.DynProcessorPath

DeleteKey

keydele

DeleteKeyRoot

keydeleroot

AgentSettings.DeviceName

AgentSettings.DriverPath

KeywordMAPIPath

KeywordServerInfo

LCFireWallHTTPPort

SMTPPort

RmtPortalToken

rmtporttok

RmtPortalPassword

rmtportpass

RmtPortalLogin

rmtportlog

RmtS3SecretKey

rmts3seckey

RmtS3KeyID

rmts3keyid

AgentSettings.CaptureConsoles

AgentSettings.LFMaskShared

AgentSettings.BhoActive

WinAdminPassword

StartRecordingWithWindows

DataFilePasswordHash

AgentSettings.NetInitDelay

AgentSettings.ClearFF

AgentSettings.BlockFileAccess

AdminHotkey

AdminPasswordHash

AdminPassword

AgentSettings.LogFileMask

AgentSettings.LogFileLevel

AgentSettings.LogFilePath

AgentSettings.UseLogFile

DisallowKeystrokeCapture

ineturls

ineturlsn

msocxushell.dll

wwfwnetex.drv

tudmdxiufrm.drv

winfatiosys32.drv

winnetkernel32.drv

winkernel32hlp.drv

wwfwnetex.dll

udmdxiufrm.dll

msfatiosys32.dll

msnetKernel32.dll

mskernel32hlp.dll

-0561-4ffd-9B86-5BA2E941BA52}\OLE\Shell\Commands

MapiAuthentication.Addin

NewWFSListenPort

NotifyPort

CEASListenPort

NewCEASListenPort

CCSDbLoginName

CCSDbPassword

ProxyPort

NewLMListenPort

DBSqlType

DBPassword

NewDSListenPort

WebMailIniPath

0x%p,%d,0x%p,0x%p,%d

%d,0x%p,0x%p

%systemroot%

SetAdminPasswordHash

ValidateServerCert

AuthenPassword

SmtpAuthType

SnapshotHotkeyDisplayable

ToggleRecordHotkeyDisplayable

AdminHotkeyDisplayable

CEAdmin.cfg

secur32.dll

0x%p,0x%x

WriteSettingsWebMailStrings

locmlurl

locmsurl

locmrmsg

loclurl

locmurl

INTRWEB

MSG_Owner

WebMail

SMTPPOP

vKey

szKeyword

KeyEventDef

PortRange

KeywordRecord

ExportXMLSystem

svrapi.dll

netapi32.dll

\\%s\%s

ValidatePortsCallback

microsoft\..\*32.dll

ImportXMLSetting

\\.\%s%d

Windows-1252

%s %dx%dx%d

WindowsVersion

%d.%d.%d %s

" webmailrev="

MYSPACE_HTTP

FACEBOOK_HTTP

GTALK_HTTP

MSN_HTTP

KEYSTROKES

bNetLogin

UrlID

UrlType

UrlData

KeyData

KeywordData

KeyStrokeCount

URLCount

ReportData

strErrMsg

RemotePort

DesktopDataBase.Size

DesktopDataBase.Type

KEYWORD

BLK_WEB

WEBMAIL

SMTP

254.254.254.254

CUSTWEB

GetComputerInfo - Unable to load NETAPI32.DLL library.

GetComputerInfo - Unable to get NETAPI32.DLL function pointers.

GetComputerInfo - NetWkstaGetInfo error (%d,0x%p).

NETAPI32.DLL

-0561-4ffd-9B86-5BA2E941BA52}

SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks

SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

WebExtLocation

bSOFTWARE\Microsoft\Windows\CurrentVersion\Run

WebCheckStub

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

CLSID\%s

%s -u

CLSID\%s\InProcServer32

SCHTASKS /CREATE /SC ONSTART /RU SYSTEM /TN %s /TR "%s"

SCHTASKS /DELETE /F /TN %s

RD /S /Q "%s"

xxxxx

xxxxxxxxxxxxxxxxx.cmd

SpectorCNE.chm

SOFTWARE\Wow6432Node\Classes\CLSID\{4A85C0C0-C52C-4C08-9E88-F012BF35623A}

SOFTWARE\Classes\CLSID\{7640DFF4-252C-470E-ACB7-1922EA57A0B9}

MSMSGS

FTP Voyager

Ftpvoyager

Windows Messaging

Cute FTP

Cutftp32

RemoteRegDeleteKey

IMsgBox

\wininit.ini

GetLastErrorMsg

ws2_32.dll

RemoteRegConnectKey

CWindowsFirewall

::DisablePort

::IsPortEnabled

::AddPort

::RemovePort

DisableAppAndPort

AddAppAndPort

RemoveAppAndPort

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

GetProcessWindowStation

operator

Service.pdb

WSOCK32.dll

DisconnectNamedPipe

ConnectNamedPipe

CreateNamedPipeA

WinExec

GetWindowsDirectoryA

GetProcessHeap

KERNEL32.dll

GetKeyNameTextA

MapVirtualKeyA

GetKeyboardLayout

ExitWindowsEx

MapVirtualKeyExA

USER32.dll

GDI32.dll

RegCloseKey

RegGetKeySecurity

RegOpenKeyExA

RegSetKeySecurity

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

ReportEventA

RegCreateKeyA

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

PeekNamedPipe

vdorctrl.dll

svrltmgr.dll

mxcrsc32.exe

snxapi.exe

vdorctrl.sys

wshvtx.exe

secadtr.dll

cmproxfr.dll

ashl16.dll

ashl32.dll

sgvrfy32.exe

nmcpusym.dll

xsysym.dll

svrltwp.dll

svrlser.dll

vidithnk.dll

wzodlg32.dll

winipdat.log

safser32.dll

ntvshl.exe

mzsyk32.dll

SOFTWARE\Classes\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}

zcÁ

stem32\sgvrfy32.exe

7.3.1111

C:\Windows\system32\sgvrfy32.exe

	0f0x0

<&<8<_<{<

2)2F2X2(3/3C3V3h3(4/4C4Y4

00s0

;%;2;8;];

3-3T3}3

9#9*9/9=9

1"1&1*171

2(2,2024282<2@2

2 2$2\2`2

3 3$3(3,303

=$?(?,?0?4?8?<?@?

2 2$2(2,2

4(444<4\4

4,484@4`4

:,:8:@:`:

>,>8>@>`>

3(343<3\3

7,787@7`7

<(<4<<<\<

1,181@1`1

<,<8<@<`<

5,585@5`5

6 646<6\6

?,?8?@?`?

9 9<9@9`9

set[@name="%S"]

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   sgvrfy32.exe:3776
   %original file name%.exe:3400
   runonce.exe:848
   

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   C:\Windows\System32\cmpipsvr32.dll (5156 bytes)
   C:\Windows\System32\winipdat\winipdll\svrltwp.dll (436 bytes)
   C:\Windows\System32\vdorctrl.dll (990 bytes)
   C:\Windows\System32\svrltmgr.dll (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUUF6EB.tmp (89 bytes)
   C:\Windows\System32\drivers\vdorctrl.sys (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUU7E.tmp (89 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSVxRsc.dll (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UUU8E.tmp (89 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_msfile75B0C260.inf (1 bytes)
   C:\Windows\System32\cmproxfr.dll (274 bytes)
   C:\Windows\System32\sgvrfy32.exe (1389 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "GrpConv" = "grpconv -o"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.