Generic.Malware.SPCPkg.D36B1CA8_cc96fb3b88

by malwarelabrobot on September 11th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Generic.Malware.SP!CPkg.D36B1CA8 (B) (Emsisoft), Generic.Malware.SP!CPkg.D36B1CA8 (AdAware), Trojan.Win32.Hideproc.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cc96fb3b88b1ca9542d3d4693dc003bb
SHA1: 1e9340a3c8cc62b0cd4194ba2610fe461f51c63b
SHA256: 19d9ea1c8621144593abc7d04bc44ce5e86504849ead5e83ae333cb28fa6bab4
SSDeep: 1536:eQeKcnrJXSWLv5z2 KWa44yP8GvpdXneQBgU:eQHcnrJXSUBz2 KWaCP8ineHU
Size: 84280 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Generic creates the following process(es):

mscorsvw.exe:1912
%original file name%.exe:1612

The Generic injects its code into the following process(es):

explorer.exe:1044
Explorer.EXE:840

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1612 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%System%\moytxkmtdn\smss.exe (601 bytes)
%System%\kufybnxndp\explorer.exe (601 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process %original file name%.exe:1612 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 75 73 61 DE C5 A2 ED 9F 1E 6D 87 4D 4C 80 04"

Dropped PE files

MD5 File path
3be6ce93a4f2dc6554877d337aca7c81 c:\Program Files\Common Files\BOSC.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 278528 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 282624 53248 52736 5.4542 48d1c9e5b0f4e80a2201fac556b127bd
.rsrc 335872 24576 24576 2.71573 427dc1ef0392bcf053459077e17d9dff

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
3a3f5dc72f51256ec896493593066dc8

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Generic connects to the servers at the folowing location(s):

explorer.exe_1044:

`.rsrc
kernel32.dll
ntdll.dll
PSAPI.dll
safeboxTray.exe
360Safe.exe
360safebox.exe
360tray.exe
ravcopy.exe
AvastU3.exe
ScanU3.exe
AvU3Launcher.exe
QQPCMgr.exe
runiep.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
SelfUpdate.exe
QQPCRTP.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
zjb.exe
KPfwSvc.exe
QQDoctorMain.exe
RavTask.exe
atpup.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
EGHOST.exe
QQDoctor.exe
RegClean.exe
FYFireWall.exe
iparmo.exe
adam.exe
KWSMain.exe
IceSword.exe
360rpt.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
DSMain.exe
360sd.exe
kwstray.exe
knsd.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
KSWebShield.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
AntiU.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
ArSwp2.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KsLoader.exe
KVCenter.kxp
ArSwp3.exe
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
PFW.exe
mcconsol.exe
QQPCTray.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavStub.exe
Ras.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
knsdave.exe
irsetup.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
KWSUpd.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
360sdrun.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
KvReport.kxp
QQSC.exe
ghost.exe
KRepair.com
SREngPS.EXE
XDelBox.exe
kpfw32.exe
kavstart.exe
knsdtray.exe
kpfwsvc.exe
kmailmon.exe
kissvc.exe
appdllman.exe
~.exe
sos.exe
UFO.exe
TNT.Exe
niu.exe
XP.exe
Wsyscheck.exe
TxoMoU.Exe
AoYun.exe
auto.exe
AutoRun.exe
av.exe
zxsweep.exe
cross.exe
Discovery.exe
guangd.exe
kernelwind32.exe
logogo.exe
kwatch.exe
QQDoctorRtp.exe
NAVSetup.exe
pagefile.exe
pagefile.pif
rfwProxy.exe
SDGames.exe
servet.exe
KAVStart.exe
mmqczj.exe
TrojDie.kxp
RavMonD.exe
Rav.exe
RavMon.exe
RsTray.exe
ScanFrm.exe
rsnetsvr.exe
arswp2.exe
arswp3.exe
zhudongfangyu.exe
799d.exe
stormii.exe
tmp.exe
jisu.exe
filmst.exe
qheart.exe
qsetup.exe
sxgame.exe
wbapp.exe
pfserver.exe
QQPCSmashFile.exe
avp.com
avp.exe
iq123.com
yijidh.com
250dh.cn
223.la
kuku123.com
930930.com
9123.com
hao123e.com
020.com
youxi777.com
1616.net
1188.com
urldh.com
daohang.la
pp55.com
9605.com
05505.cn
7055.net
0056.com
6655.com
1166.com
5kip.com
114xia.com
265dh.com
3567.com
6565.cn
666t.com
9223.com
dduu.com
hao123.cn
5snow.com
2523.com
5599.net
tt98.com
zhaodao123.com
kuhao123.com
5151la.net
6h.com.cn
zeibi.com
6e8e.com
th123.com
9991.com
hao123ol.com
wu123.com
t220.cn
ttver.net
188HI.com
go2000.com
5igb.com
bb2000.net
9wa.com
qq5.com
365j.com
7345.com
2760.com
361la.com
haojs.com
5zd.com
i8866.com
100wz.com
114hi.com
234.la
657.com
339.la
365wz.net
7792.com
9495.com
dazuimao.com
71314.com
265.com
gouwo.com
huai456.com
ku256.com
my180.com
2522.cn
405.cn
44244.com
111dh.com
115ku.com
13387.com
163yes.com
256s.com
2676.com
3355.net
365lo.com
4168.com
4545.cn
4688.com
566.net
5666.net
5733.com
6461.cn
7356.com
800186.com
85851.com
asp51.com
361dh.com
5566.net
yulinweb.com
6296.com.cn
mianfeia.com
ai1234.com
k369.com
msncn.com
ss256.com
min513.com
88-888.com
lggg.cn
7771.cn
leeboo.com
jjol.cn
5566.com
9166.net
hao253.com
7b.com.cn
haoei.com
77114.com
21310.cn
weiduomei.net
kk3000.cn
7241.cn
44384.com
daohang1234.com
131.cc
223224.com
537.com
9348.cn
bju123.cn
i4455.com
jia123.com
0666.com.cn
553.la
5566.org
37021.com
88488.com
99986.net
37021.net
k986.com
cc62.com
5518.cn
55620.com
52416.com
7357.cn
8c8c.net
9999q.com
123shi123.com
yl234.cn
3322.com
hao222.com
6313.com
f127.com
5599cn.cn
99499.com
2548.cn
133.net
ie30.com
8751.com
haidaowan.net
160dh.com
114115.com
1322.cn
hh361.com
2800.cc
52daohang.com
186.me
diyidh.com
zaodezhu.com
7832.com
3073.com
2058.cc
3456.cc
7771.com
q6789.com
7k.cc
dianzi88.com
7802.com
xinbut.com
59688.com
gjj.cc
youla.com
ok1616.com
i2345.cn
gg8000.com
daohang12345.cn
inina.cn
dowei.com
1515.net
41119.cn
21230.cn
97youku.com
fast35.net
m32.cn
tom155.cn
668yo.com
online.cq.cn
shagua.cn
007247.cn
603467.cn
197326.cn
wwwoj.cn
xp22.cn
84022.cn
520593.cn
448789.cn
141321.cn
36gggg.cn
427842.cn
niubihao123.cn
ovooo.cn
rtys520.net
rtxzw.com
uurenti.cc
bo.dy288.com
renti11.com
123.cd
336655.com
9978.net
520.com
6l.cn
420.cn
v989.com
16551.com
2tvv.com
m4455.com
mylovewebs.com
5987.net
7999.com
caipopo.com
wndhw.com
henku123.com
qu123.com
94176.com
u526.com
haokan123.com
uusee.net
9733.com
qnrwz.com
999w.com
h935.com
33250.com
tz911.net
639e.com
920xx.cn
13393.com
tncdh.com
sou185.com
3566.cc
580so.com
2001.cc
hnhao123.com
zz5.net.cn
abc123.name
ekan123.com
1266.cc
hao123.cc
126.cc
ie1788.com
58daohang.com
6dh.com
991.cn
114la.me
1133.cc
ads8.com
haoz.com
jsing.net
123.sogou.com
3321.com
1155.cc
hao123.com
hao123.net
6700.cn
168.com
uu881.com
6264.cn
606600.com
2345.com
5607.cn
1111116.com
v7799.com
ie7.com.cn
365t.cc
89679.com
35029.com
8d9a.cn
400zm.com
58816.com
727dh.cn
hao123w.com
114td.com
28101.cn
03336.cn
79001.cn
133132.com
3434.com.cn
828dh.cn
64500.cn
22q.cc
jj77.com
vvyy.net
ie567.com
5d5e.com
212dh.cn
911g.cn
1616.la
tomatolei.com
96nn.com
5543.com
2288.org
3322.org
9966.org
8800.org
8866.org
7766.org
22409.com
se-se.info
26043.com
34414.com
gaoav1.info
0558114.com
3333dh.cn
zjialin.com
22dao.com
soupay.com
langlangdoor.com
99cu.com
5555dh.cn
wang123.net
haaoo123.com
3645.com
hao123q.com
tvsooo.com
gaituba.com
45566.net
2298.cn
iexx.com
dh115.com
97sp.cn
39r.cn
f8f8.cn
391kk.cn
266.cc
jysoso.net
wg510.cn
114d.org
ie3721.com
2142.cn
go2000.cc
go2000.cn
99521.com
yeooo.com
haha123.com
hao.360.cn
07707.cn
yy2000.net
1111118.com
26281.com
960dh.cn
300.cc
163333333.com.cn
kz300.cn
i3525.cn
67881.net
t2t2.net
mm4000.cn
669dh.cn
k58n.com
haoha123.com
ab99.com
i2255.com
054.cc
fffggqq.cn
k2345.net
vv33.com
tuku6.com
mmpp654.com
228dh.cn
seibb.com
14164.com
552dh.cn
hao969.com
lalamao.com
21225.cn
5k5.net
65630.cn
at46.cn
98928.cn
ads.eorezo.com
661dh.cn
6320.com
henbianjie.com
xiushe.com
5mqxmq.com
989228.com
i8844.cn
g1476.cn
4j4j.cn
1777zzw5.com
989228.cn
henbucuo.com
886dh.cn
2255.net
160yes.com
u8s.cn
16711.com
626dh.cn
rfwow.cn
baiyici.cn
lalamao.cn
136s.com
huhuyy.cn
8diq.com
d2fs.cn
0229.com
yy4000.com
9934.cn
3883.net
151dh.com
26dh.cn
kkwwxx.com
t67.net
29dao.cn
58ju.com
dnc8.net
yl177.com.cn
xj.cn
950990.cn
114.com.cn
xxxip.cn
3628.com
265.cc
26.la
5654.com
zg115.com
969dh.cn
111555.com.cn
pic.jinti.com
kk8000.com
wokaokao.cn
duoxxppmmkoo.com
kanlink.cn
91youa.com
shinia.cn
pp9pp9.cn
ma80.com
556dh.cn
bu4.cn
8555.com
e23.la
flash678.cn
yy4000.cn
wo333.com
mv700.com
xcwhgx.cn
3s11.cn
sp16888.com
k7k7.com
zzw5.com
okdianying.com
789bb.com
antuoo.com
so06.com
665532.cn
7f7f.com
k261.com
fanbaidu.org.cn
iu888.cn
977k.com
93w.com
68566.com.cn
zhidao163.cn
it958.cn
lx8000.cn
sc.cn
ucuc.cc
kkdowns.com
189189.com
0002.com
4737.cn
226dh.cn
bb115.cn
06000.cn
u87.cn
sohao123.com
k887.com
hao602.com
t7t7.net
ku4000.cn
v6677.cn
hong666.com
4000a.com
kk4000.cn
7767.com
11227.cn
u9u9.net
28113.cn
rr55.com
a4000.cn
yunfujkw.cn
886.com
2800.cer.cn
zyyu.com
49la.com
hi3000.cn
sogouliulanqi.com
888ge.com
00333.cn
29wz.com
soso126.com
180wan.com
kan888.com
4929.cn
v2233.com
m345.cn
tt265.net
18ttt.com
153.cc
00664.cn
gugogo.com
kk4000.com
185b.com
uuent.com
6666dh.cn
25dao.com
shangla.com
77177.cn
haoq123.com
baiduo.org
lejiu.net
dianxin.cn
u7758.com
dao234.com
85692.com
xiaosb.com
soso313.cn
939dh.com
85952.com
31346.com
71528.com
788dh.com
91695.com
5566x.com
131u.com
1149.cn
9281.net
my115.net
4119.cn
9m1.net
dh818.com
iehwz.com
wa200.com
hao234.cc
6781.com
652dh.com
16811.com
zhongshu.net
992k.com
71628.com
6701.com
diyou.net
iehao123.com
laidao123.com
yinfen.net
wz4321.com
shangqu.info
5121.net
668g.com
51150.com
53ff.com
dada123.com
you2000.com
884599.cn
kuaijiong.com
398.cn
32387.com
82vv.com
09tao.com
977dh.com
598.net
211dh.com
9365.info
wblive.com
e722.com
v232.com
7400.net
62106.com
ll4xi.com
3932.com
puZeng.com
97199.com
447.cc
0749.com
6656.net
niebai.com
447.com
uuchina.net
hao123cn.info
dao666.com
9813.org
91kk.com
freedh.info
yidaba.com
161111111.com
009dh.com
qsxx.cn
geyuan.net
8t8.net
xorg.pl
bij.pl
qqnz.com
srpkw.com
gggdu.com
baiduo.com
wys99.com
leilei.cc
3633.net
fjta.com
so11.cn
522dh.com
9249.com
3110.cn
300cc.com
7669.cn
5c6.com
7993.cn
8336.cn
03m.net
ou33.com
bv0.net
163333333.cn
45575.com
2637.cn
skyhouse.com.cn
98453.com
65642.net
776la.com
256.CC
114king.cn
yyyqq.com
huhu123.com
gyyx.cn
2888.me
4444dh.cn
191pk.com
118.com
57xswz.com
how18.cn
sohu12333333.com
xz26.com
654v.com
280580.cn
fjgqw.com
49558.cn
pp8000.cn
265it.com
soolaa.com
9899.cn
18143.com
haoxyz.com
4555.net
10du.net
528988.com
wahahaha123.com
c256.cn
chinaih.com
mnv.cn
633dh.com
ncjxx.com
51721.net
556w.com
114cc.net
5go.com.cn
pp4000.com
8844.com
dd335.cn
qu163.net
itwenba.cn
dou2game.cn
h220.com
neng123.com
pleoc.cn
6006.cc
987654.com
39903.com
ddoowwnn.cn
788111.com
zhidao001.com
5hao123.com
978.la
135968.cn
bb112.com
r220.cn
365kong.com
woainame.cn
okgouwu.cn
hao006.com
jipinla.com
99467.com
wawamm.cn
qian14.cn
ip27.cn
56dh.cn
2966.com
game333.net
kukuwz.com
1-xiu.cn
92hao123.com
lian9.cn
222q.cn
jj98.com
73vv.com
mubanw.com
t262.com
x1258.cn
weishi66.cn
hao990.com
68la.com
sowang123.cn
3929.cn
5665.cn
81sf.com
kz123.cn
qq806.cn
ffwyt.com
cmd.exe
netsh.exe
conime.exe
regedit.exe
wscript.exe
regsvr32.exe
rundll32.exe
wmiprvse.exe
ipconfig.exe
kpscc.sys
\\.\MYFL
\smss.exe
\explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
c:\RECYCLER\winlogon.exe
RavExt.dll
bsmain.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
5.lnk
3.lnk
2009.lnk
2010.lnk
@shdoclc.dll,-881
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}
@shdoclc.dll,-880
iexplore.exe hXXp://VVV.sfc007.com/?Activex
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage\Command
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage
@shdoclc.dll,-10241
{871C5380-42A0-1069-A2EA-08002B30309D}
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\Shellex\ContextMenuHandlers\ieframe
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\ShellFolder\Attributes
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell
%SystemRoot%\system32\shdocvw.dll
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32
shdoclc.dll,-190
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\DefaultIcon
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InfoTip
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\LocalizedString
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32
Intennet Exploner.lnk
A.url
C.url
BOSC.dll
autorun.inf
}.exe
46.com
1155.com
114la.com
My Documamts.exe
hXXp://VVV.dh008.com/?ie
hXXp://VVV.dh008.com/index.html?ie
winlogon.exe
%Program Files%\Internet Explorer\iexplore.exe
&.url
D:\Program Files\Internet Explorer\iexplore.exe
C:\VSPS
C:\VSPS\VSPS.exe
boot.ini
svchost.exe
explorer.exe hXXp://VVV.dh008.com/?TJ-
explorer.exe hXXp://VVV.dh008.com/index.html?TJ-
reg.exe
Shareds.dll
q9q.dll
TaskTray.dll
Q888.dll
LoginCtrl.dll
x0x.dll
mp.dll
xlooo.dll
TaskManager.dll
explorer.exe
.idata
.edata
P.reloc
P.rsrc
taskmgr.exe
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
SetWindowsHookExA
IMAGEHLP.DLL
nthide.dll
KWindows
c:\VSPS\VSPS.exe
c:\VSPS\
hXXp://VVV.dh008.com/?Dll
hXXp://VVV.dh008.com/index.html?Dll
WinExec
Q08.dll
4G4U4^4j4q4
= =$=(=,=8=<=
UrlMon
Q09.dll
xlo.dll
xln.dll
IEXPLORE.EXE
%Program Files%\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
URL=hXXp://VVV.sfc007.com/
URL=hXXp://VVV.sfc007.com/taobao.htm
URL=hXXp://VVV.vol777.com/?Dll
.text
h.rdata
H.data
.reloc
PID is:%d
MyPspaddress is: X
NTOSKRNL.EXE
GetWindowsDirectoryA
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
.rdata
: :$:(:,:0:4:8
; ;$;(;,;0;4;8;<;@_
$=(=,=8=<=
pfl/r.Sc
URL=A
%X'?0U
.LjR=W
.Jbjx=
KERNEL32.DLL
oleaut32.dll
shell32.dll
>..\..\..\..\..\..\Program Files\Internet Explorer\IEXPLORE.EXE"%Program Files%\Internet Explorer
hXXp://VVV.sfc007.com/?94`
hXXp://VVV.sfc007.com/?94

explorer.exe_1044_rwx_00401000_00050000:

kernel32.dll
ntdll.dll
PSAPI.dll
safeboxTray.exe
360Safe.exe
360safebox.exe
360tray.exe
ravcopy.exe
AvastU3.exe
ScanU3.exe
AvU3Launcher.exe
QQPCMgr.exe
runiep.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
SelfUpdate.exe
QQPCRTP.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
zjb.exe
KPfwSvc.exe
QQDoctorMain.exe
RavTask.exe
atpup.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
EGHOST.exe
QQDoctor.exe
RegClean.exe
FYFireWall.exe
iparmo.exe
adam.exe
KWSMain.exe
IceSword.exe
360rpt.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
DSMain.exe
360sd.exe
kwstray.exe
knsd.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
KSWebShield.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
AntiU.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
ArSwp2.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KsLoader.exe
KVCenter.kxp
ArSwp3.exe
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
PFW.exe
mcconsol.exe
QQPCTray.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavStub.exe
Ras.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
knsdave.exe
irsetup.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
KWSUpd.exe
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
360sdrun.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
KvReport.kxp
QQSC.exe
ghost.exe
KRepair.com
SREngPS.EXE
XDelBox.exe
kpfw32.exe
kavstart.exe
knsdtray.exe
kpfwsvc.exe
kmailmon.exe
kissvc.exe
appdllman.exe
~.exe
sos.exe
UFO.exe
TNT.Exe
niu.exe
XP.exe
Wsyscheck.exe
TxoMoU.Exe
AoYun.exe
auto.exe
AutoRun.exe
av.exe
zxsweep.exe
cross.exe
Discovery.exe
guangd.exe
kernelwind32.exe
logogo.exe
kwatch.exe
QQDoctorRtp.exe
NAVSetup.exe
pagefile.exe
pagefile.pif
rfwProxy.exe
SDGames.exe
servet.exe
KAVStart.exe
mmqczj.exe
TrojDie.kxp
RavMonD.exe
Rav.exe
RavMon.exe
RsTray.exe
ScanFrm.exe
rsnetsvr.exe
arswp2.exe
arswp3.exe
zhudongfangyu.exe
799d.exe
stormii.exe
tmp.exe
jisu.exe
filmst.exe
qheart.exe
qsetup.exe
sxgame.exe
wbapp.exe
pfserver.exe
QQPCSmashFile.exe
avp.com
avp.exe
iq123.com
yijidh.com
250dh.cn
223.la
kuku123.com
930930.com
9123.com
hao123e.com
020.com
youxi777.com
1616.net
1188.com
urldh.com
daohang.la
pp55.com
9605.com
05505.cn
7055.net
0056.com
6655.com
1166.com
5kip.com
114xia.com
265dh.com
3567.com
6565.cn
666t.com
9223.com
dduu.com
hao123.cn
5snow.com
2523.com
5599.net
tt98.com
zhaodao123.com
kuhao123.com
5151la.net
6h.com.cn
zeibi.com
6e8e.com
th123.com
9991.com
hao123ol.com
wu123.com
t220.cn
ttver.net
188HI.com
go2000.com
5igb.com
bb2000.net
9wa.com
qq5.com
365j.com
7345.com
2760.com
361la.com
haojs.com
5zd.com
i8866.com
100wz.com
114hi.com
234.la
657.com
339.la
365wz.net
7792.com
9495.com
dazuimao.com
71314.com
265.com
gouwo.com
huai456.com
ku256.com
my180.com
2522.cn
405.cn
44244.com
111dh.com
115ku.com
13387.com
163yes.com
256s.com
2676.com
3355.net
365lo.com
4168.com
4545.cn
4688.com
566.net
5666.net
5733.com
6461.cn
7356.com
800186.com
85851.com
asp51.com
361dh.com
5566.net
yulinweb.com
6296.com.cn
mianfeia.com
ai1234.com
k369.com
msncn.com
ss256.com
min513.com
88-888.com
lggg.cn
7771.cn
leeboo.com
jjol.cn
5566.com
9166.net
hao253.com
7b.com.cn
haoei.com
77114.com
21310.cn
weiduomei.net
kk3000.cn
7241.cn
44384.com
daohang1234.com
131.cc
223224.com
537.com
9348.cn
bju123.cn
i4455.com
jia123.com
0666.com.cn
553.la
5566.org
37021.com
88488.com
99986.net
37021.net
k986.com
cc62.com
5518.cn
55620.com
52416.com
7357.cn
8c8c.net
9999q.com
123shi123.com
yl234.cn
3322.com
hao222.com
6313.com
f127.com
5599cn.cn
99499.com
2548.cn
133.net
ie30.com
8751.com
haidaowan.net
160dh.com
114115.com
1322.cn
hh361.com
2800.cc
52daohang.com
186.me
diyidh.com
zaodezhu.com
7832.com
3073.com
2058.cc
3456.cc
7771.com
q6789.com
7k.cc
dianzi88.com
7802.com
xinbut.com
59688.com
gjj.cc
youla.com
ok1616.com
i2345.cn
gg8000.com
daohang12345.cn
inina.cn
dowei.com
1515.net
41119.cn
21230.cn
97youku.com
fast35.net
m32.cn
tom155.cn
668yo.com
online.cq.cn
shagua.cn
007247.cn
603467.cn
197326.cn
wwwoj.cn
xp22.cn
84022.cn
520593.cn
448789.cn
141321.cn
36gggg.cn
427842.cn
niubihao123.cn
ovooo.cn
rtys520.net
rtxzw.com
uurenti.cc
bo.dy288.com
renti11.com
123.cd
336655.com
9978.net
520.com
6l.cn
420.cn
v989.com
16551.com
2tvv.com
m4455.com
mylovewebs.com
5987.net
7999.com
caipopo.com
wndhw.com
henku123.com
qu123.com
94176.com
u526.com
haokan123.com
uusee.net
9733.com
qnrwz.com
999w.com
h935.com
33250.com
tz911.net
639e.com
920xx.cn
13393.com
tncdh.com
sou185.com
3566.cc
580so.com
2001.cc
hnhao123.com
zz5.net.cn
abc123.name
ekan123.com
1266.cc
hao123.cc
126.cc
ie1788.com
58daohang.com
6dh.com
991.cn
114la.me
1133.cc
ads8.com
haoz.com
jsing.net
123.sogou.com
3321.com
1155.cc
hao123.com
hao123.net
6700.cn
168.com
uu881.com
6264.cn
606600.com
2345.com
5607.cn
1111116.com
v7799.com
ie7.com.cn
365t.cc
89679.com
35029.com
8d9a.cn
400zm.com
58816.com
727dh.cn
hao123w.com
114td.com
28101.cn
03336.cn
79001.cn
133132.com
3434.com.cn
828dh.cn
64500.cn
22q.cc
jj77.com
vvyy.net
ie567.com
5d5e.com
212dh.cn
911g.cn
1616.la
tomatolei.com
96nn.com
5543.com
2288.org
3322.org
9966.org
8800.org
8866.org
7766.org
22409.com
se-se.info
26043.com
34414.com
gaoav1.info
0558114.com
3333dh.cn
zjialin.com
22dao.com
soupay.com
langlangdoor.com
99cu.com
5555dh.cn
wang123.net
haaoo123.com
3645.com
hao123q.com
tvsooo.com
gaituba.com
45566.net
2298.cn
iexx.com
dh115.com
97sp.cn
39r.cn
f8f8.cn
391kk.cn
266.cc
jysoso.net
wg510.cn
114d.org
ie3721.com
2142.cn
go2000.cc
go2000.cn
99521.com
yeooo.com
haha123.com
hao.360.cn
07707.cn
yy2000.net
1111118.com
26281.com
960dh.cn
300.cc
163333333.com.cn
kz300.cn
i3525.cn
67881.net
t2t2.net
mm4000.cn
669dh.cn
k58n.com
haoha123.com
ab99.com
i2255.com
054.cc
fffggqq.cn
k2345.net
vv33.com
tuku6.com
mmpp654.com
228dh.cn
seibb.com
14164.com
552dh.cn
hao969.com
lalamao.com
21225.cn
5k5.net
65630.cn
at46.cn
98928.cn
ads.eorezo.com
661dh.cn
6320.com
henbianjie.com
xiushe.com
5mqxmq.com
989228.com
i8844.cn
g1476.cn
4j4j.cn
1777zzw5.com
989228.cn
henbucuo.com
886dh.cn
2255.net
160yes.com
u8s.cn
16711.com
626dh.cn
rfwow.cn
baiyici.cn
lalamao.cn
136s.com
huhuyy.cn
8diq.com
d2fs.cn
0229.com
yy4000.com
9934.cn
3883.net
151dh.com
26dh.cn
kkwwxx.com
t67.net
29dao.cn
58ju.com
dnc8.net
yl177.com.cn
xj.cn
950990.cn
114.com.cn
xxxip.cn
3628.com
265.cc
26.la
5654.com
zg115.com
969dh.cn
111555.com.cn
pic.jinti.com
kk8000.com
wokaokao.cn
duoxxppmmkoo.com
kanlink.cn
91youa.com
shinia.cn
pp9pp9.cn
ma80.com
556dh.cn
bu4.cn
8555.com
e23.la
flash678.cn
yy4000.cn
wo333.com
mv700.com
xcwhgx.cn
3s11.cn
sp16888.com
k7k7.com
zzw5.com
okdianying.com
789bb.com
antuoo.com
so06.com
665532.cn
7f7f.com
k261.com
fanbaidu.org.cn
iu888.cn
977k.com
93w.com
68566.com.cn
zhidao163.cn
it958.cn
lx8000.cn
sc.cn
ucuc.cc
kkdowns.com
189189.com
0002.com
4737.cn
226dh.cn
bb115.cn
06000.cn
u87.cn
sohao123.com
k887.com
hao602.com
t7t7.net
ku4000.cn
v6677.cn
hong666.com
4000a.com
kk4000.cn
7767.com
11227.cn
u9u9.net
28113.cn
rr55.com
a4000.cn
yunfujkw.cn
886.com
2800.cer.cn
zyyu.com
49la.com
hi3000.cn
sogouliulanqi.com
888ge.com
00333.cn
29wz.com
soso126.com
180wan.com
kan888.com
4929.cn
v2233.com
m345.cn
tt265.net
18ttt.com
153.cc
00664.cn
gugogo.com
kk4000.com
185b.com
uuent.com
6666dh.cn
25dao.com
shangla.com
77177.cn
haoq123.com
baiduo.org
lejiu.net
dianxin.cn
u7758.com
dao234.com
85692.com
xiaosb.com
soso313.cn
939dh.com
85952.com
31346.com
71528.com
788dh.com
91695.com
5566x.com
131u.com
1149.cn
9281.net
my115.net
4119.cn
9m1.net
dh818.com
iehwz.com
wa200.com
hao234.cc
6781.com
652dh.com
16811.com
zhongshu.net
992k.com
71628.com
6701.com
diyou.net
iehao123.com
laidao123.com
yinfen.net
wz4321.com
shangqu.info
5121.net
668g.com
51150.com
53ff.com
dada123.com
you2000.com
884599.cn
kuaijiong.com
398.cn
32387.com
82vv.com
09tao.com
977dh.com
598.net
211dh.com
9365.info
wblive.com
e722.com
v232.com
7400.net
62106.com
ll4xi.com
3932.com
puZeng.com
97199.com
447.cc
0749.com
6656.net
niebai.com
447.com
uuchina.net
hao123cn.info
dao666.com
9813.org
91kk.com
freedh.info
yidaba.com
161111111.com
009dh.com
qsxx.cn
geyuan.net
8t8.net
xorg.pl
bij.pl
qqnz.com
srpkw.com
gggdu.com
baiduo.com
wys99.com
leilei.cc
3633.net
fjta.com
so11.cn
522dh.com
9249.com
3110.cn
300cc.com
7669.cn
5c6.com
7993.cn
8336.cn
03m.net
ou33.com
bv0.net
163333333.cn
45575.com
2637.cn
skyhouse.com.cn
98453.com
65642.net
776la.com
256.CC
114king.cn
yyyqq.com
huhu123.com
gyyx.cn
2888.me
4444dh.cn
191pk.com
118.com
57xswz.com
how18.cn
sohu12333333.com
xz26.com
654v.com
280580.cn
fjgqw.com
49558.cn
pp8000.cn
265it.com
soolaa.com
9899.cn
18143.com
haoxyz.com
4555.net
10du.net
528988.com
wahahaha123.com
c256.cn
chinaih.com
mnv.cn
633dh.com
ncjxx.com
51721.net
556w.com
114cc.net
5go.com.cn
pp4000.com
8844.com
dd335.cn
qu163.net
itwenba.cn
dou2game.cn
h220.com
neng123.com
pleoc.cn
6006.cc
987654.com
39903.com
ddoowwnn.cn
788111.com
zhidao001.com
5hao123.com
978.la
135968.cn
bb112.com
r220.cn
365kong.com
woainame.cn
okgouwu.cn
hao006.com
jipinla.com
99467.com
wawamm.cn
qian14.cn
ip27.cn
56dh.cn
2966.com
game333.net
kukuwz.com
1-xiu.cn
92hao123.com
lian9.cn
222q.cn
jj98.com
73vv.com
mubanw.com
t262.com
x1258.cn
weishi66.cn
hao990.com
68la.com
sowang123.cn
3929.cn
5665.cn
81sf.com
kz123.cn
qq806.cn
ffwyt.com
cmd.exe
netsh.exe
conime.exe
regedit.exe
wscript.exe
regsvr32.exe
rundll32.exe
wmiprvse.exe
ipconfig.exe
kpscc.sys
\\.\MYFL
\smss.exe
\explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
c:\RECYCLER\winlogon.exe
RavExt.dll
bsmain.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
5.lnk
3.lnk
2009.lnk
2010.lnk
@shdoclc.dll,-881
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}
@shdoclc.dll,-880
iexplore.exe hXXp://VVV.sfc007.com/?Activex
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage\Command
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage
@shdoclc.dll,-10241
{871C5380-42A0-1069-A2EA-08002B30309D}
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\Shellex\ContextMenuHandlers\ieframe
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\ShellFolder\Attributes
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell
%SystemRoot%\system32\shdocvw.dll
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32
shdoclc.dll,-190
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\DefaultIcon
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InfoTip
SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\LocalizedString
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32
Intennet Exploner.lnk
A.url
C.url
BOSC.dll
autorun.inf
}.exe
46.com
1155.com
114la.com
My Documamts.exe
hXXp://VVV.dh008.com/?ie
hXXp://VVV.dh008.com/index.html?ie
winlogon.exe
%Program Files%\Internet Explorer\iexplore.exe
&.url
D:\Program Files\Internet Explorer\iexplore.exe
C:\VSPS
C:\VSPS\VSPS.exe
boot.ini
svchost.exe
explorer.exe hXXp://VVV.dh008.com/?TJ-
explorer.exe hXXp://VVV.dh008.com/index.html?TJ-
reg.exe
Shareds.dll
q9q.dll
TaskTray.dll
Q888.dll
LoginCtrl.dll
x0x.dll
mp.dll
xlooo.dll
TaskManager.dll
explorer.exe
.idata
.edata
P.reloc
P.rsrc
taskmgr.exe
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
SetWindowsHookExA
IMAGEHLP.DLL
nthide.dll
KWindows
c:\VSPS\VSPS.exe
c:\VSPS\
hXXp://VVV.dh008.com/?Dll
hXXp://VVV.dh008.com/index.html?Dll
WinExec
Q08.dll
4G4U4^4j4q4
= =$=(=,=8=<=
UrlMon
Q09.dll
xlo.dll
xln.dll
IEXPLORE.EXE
%Program Files%\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
URL=hXXp://VVV.sfc007.com/
URL=hXXp://VVV.sfc007.com/taobao.htm
URL=hXXp://VVV.vol777.com/?Dll
.text
h.rdata
H.data
.reloc
PID is:%d
MyPspaddress is: X
NTOSKRNL.EXE
GetWindowsDirectoryA
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
.rdata
: :$:(:,:0:4:8
; ;$;(;,;0;4;8;<;@_
$=(=,=8=<=
>..\..\..\..\..\..\Program Files\Internet Explorer\IEXPLORE.EXE"%Program Files%\Internet Explorer
hXXp://VVV.sfc007.com/?94`
hXXp://VVV.sfc007.com/?94

Explorer.EXE_840_rwx_5CB71000_00001000:

[MSG ]
[SeiConstructChain] %s!%-20s 0x%p ->
[SeiConstructChain] %s!#%d 0x%p ->
[SeiGetPatchAddress] Dll "%S" not yet loaded for memory patching.
[SeiApplyPatch] NtProtectVirtualMemory failed 0x%X.
[SeiApplyPatch] Unknown patch opcode 0x%X.
[SeiApplyPatch] NtFlushInstructionCache failed w/ status 0x%X.
[SeiResolveAPIs] There is no "%s!%s" !
[SeiResolveAPIs] There is no "%s!#%d" !
[SeiResolveAPIs] Resolved "%s!%s" to 0x%p
[SeiResolveAPIs] Resolved "%s!#%d" to 0x%p
[SeiResolveAPIs] Failed to convert string "%s" to UNICODE.
[SeiIsExcluded] Module "%s" mixed inclusion/exclusion for API "%s!%s". Included.
[SeiIsExcluded] Module "%s" mixed inclusion/exclusion for API "%s!#%d". Included.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is in the exclude list (MODE: ES).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is in the exclude list (MODE: ES).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is in System32.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is in System32.
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!%s", because it is not in the include list (MODE: EA).
[SeiIsExcluded] module "%s" excluded for shim %S, API "%s!#%d", because it is not in the include list (MODE: EA).
[SeiIsExcluded] Module "%s" excluded for shim %S, API "%s!%s", because it is in the exclude list (MODE: IA).
[SeiIsExcluded] Module "%s" excluded for shim %S, API "%s!#%d", because it is in the exclude list (MODE: IA).
[SeiHookImports] Failed 0x%X to change protection to PAGE_READWRITE. Addr 0x%p
[SeiHookImports] Failed to change back the protection
[SeiHookImports] Hooking API "%s!%s" for DLL "%s"
[SeiHookImports] Hooking API "%s!#%d" for DLL "%s"
[SeiHookImports] Hooking module 0x%p "%s"
[SeiHookImports] Cannot convert "%S" to ANSI
[SeiBuildGlobalInclList] Failed to allocate %d bytes
[SeiBuildGlobalInclList] 0x%X Cannot convert UNICODE "%S" to ANSI
[SeiBuildGlobalInclList] EXE name used in the global exclusion list!
[SeiBuildInclExclListForShim] Failed to allocate %d bytes
[SeiBuildInclExclListForShim] 0x%X Cannot convert UNICODE "%S" to ANSI
[SeiBuildInclExclListForShim] EXE name resolved to "%S".
[SeiCopyGlobalInclList] (2) Failed to allocate %d bytes
[SeiCopyGlobalInclList] (1) Failed to allocate %d bytes
[SeiBuildInclListWithOneModule] Failed to allocate %d bytes
verifier.dll
ntdll.dll
kernel32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:1912
    %original file name%.exe:1612

  2. Delete the original Generic file.
  3. Delete or disinfect the following files created/modified by the Generic:

    %System%\moytxkmtdn\smss.exe (601 bytes)
    %System%\kufybnxndp\explorer.exe (601 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now