Win32.Ramnit_6ea63b19ab

Virus.Win32.Nimnul.a (Kaspersky), Win32.Ramnit (B) (Emsisoft), Win32.Ramnit (AdAware), Trojan-PSW.Win32.MSNPassword.FD, GenericInjector.YR, VirusVirut.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, ...
Blog rating:2 out of5 with1 ratings

Win32.Ramnit_6ea63b19ab

by malwarelabrobot on August 26th, 2017 in Malware Descriptions.

Virus.Win32.Nimnul.a (Kaspersky), Win32.Ramnit (B) (Emsisoft), Win32.Ramnit (AdAware), Trojan-PSW.Win32.MSNPassword.FD, GenericInjector.YR, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6ea63b19ab915004dbcdd897be2732ea
SHA1: 0dfd7c640613bb5d0e6f9e65ea08ccb9be3d69bd
SHA256: 92a2ba7862cc023cf08fbe7c0d2f0f26db5ba277e2e4075df123fa96a61f0e9d
SSDeep: 6144:6jz6KSJDcvupfIuy/9i9UAKj2iwSJr6wY20tMPB/Ah1:ySGvBVoUiiwSJr6pJMPBi1
Size: 238080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-04 15:35:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

6ea63b19ab915004dbcdd897be2732eaSrv.exe:1492
zmnfmcSrv.exe:600

The Trojan injects its code into the following process(es):

chrome.exe:1848
zmnfmc.exe:620
zmnfmc.exe:3876
%original file name%.exe:2556
iexplore.exe:1584

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 6ea63b19ab915004dbcdd897be2732eaSrv.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft\DesktopLayer.exe (691 bytes)

The Trojan deletes the following file(s):

%Program Files%\Microsoft\px76F3.tmp (0 bytes)

The process chrome.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
C:\6ea63b19ab915004dbcdd897be2732eaSrv.exe (2374 bytes)

The process zmnfmcSrv.exe:600 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Microsoft\px7889.tmp (0 bytes)

The process zmnfmc.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\zmnfmcSrv.exe (176 bytes)

The process zmnfmc.exe:3876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Server.ini (95 bytes)

The process %original file name%.exe:2556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Server.ini (95 bytes)
C:\6ea63b19ab915004dbcdd897be2732eaSrv.exe (176 bytes)
C:\Windows\System32\zmnfmc.exe (1281 bytes)

Registry activity

The process chrome.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"
"failed_count" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

The process %original file name%.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Rssgyq hhhwsoiskcq]
"Description" = "Æô¶¯Äú¼ÒÍ¥ÍøÂçÉϵÄgghhjjkk Booth É豸µÄ¼ì²â¡£"

Dropped PE files

MD5 File path
178ff6645823901807d04fa2bd742158 c:\6ea63b19ab915004dbcdd897be2732eaSrv.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name:
Product Name: NewServers ????
Product Version: 1, 0, 0, 1
Legal Copyright: ???? (C) 2017
Legal Trademarks:
Original Filename: NewServers.EXE
Internal Name: NewServers
File Version: 1, 0, 0, 1
File Description: NewServers Microsoft ???????
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 221184 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 225280 118784 117248 5.50332 47e88a9ba3be1309c7952df242af9237
.rsrc 344064 32768 31744 5.3232 9741a3540763f4c446f29b8f11155ffa
vkyqjzx 376832 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.rmnet 380928 90112 88064 5.52275 3b8a6f359fd24972b9333dfa4f14a054

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
bing.com 204.79.197.200
ilo.brenz.pl
fget-career.com
google.com
dns.msftncsi.com
zuagyt.com
yahoo.com
ant.trenz.pl


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2556:

.rsrc
.rmnet
RCv=kAv.SCvc
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
c:\%original file name%.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
k?mSG
QoySsH
COMCTL32.dll
comdlg32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
WINSPOOL.DRV
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb
Srv.exe
c:\6ea63b19ab915004dbcdd897be2732eaSrv.exe
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
SHELL32.DLL
Gp.yR
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)
1, 0, 0, 1
NewServers.EXE
106.42.73.61
2528-6142
nedwp.exe

%original file name%.exe_2556_rwx_002D0000_00008000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
C:\Windows\system32\winlogon.exe
C:\PERL\LIB\AUTO\SYS\
8-25\6EA63B19AB915004DBCDD897BE2732EA\DUMPS\6EA63B19AB915004DBCDD897BE2732EA.EXE_2556.DMP
%WinDir%\SYSTEM32\MAGNIFY.EXE
\WMPLAYER.EXE
1Pjyztfk.com
zzusbh.com
ehgwgs.com
eucyky.com
vvrwft.com
fizouy.com
yqgqcf.com
mfvswe.com
weaoxt.com
skormo.com
lldjku.com
eethkc.com
ucwirv.com
gjccny.com
zuagyt.com
gkgcyc.com
uvatmh.com
uilouu.com
jnuuba.com
caucdf.com
poghax.com
nfcwdy.com
ufnera.com
dkoouo.com
hkiciz.com
cyfwov.com
hvmrrb.com
kdpamr.com
spdieb.com
evwiyi.com
abfaci.com
rfoocz.com
anqewf.com
qiiawq.com
wxefiq.com
ldzbeb.com
oyehsa.com
uadnne.com
cpguea.com
ejjkih.com
ymfklo.com
unajso.com
olyzet.com
yyxotz.com
udckio.com
xuwmlh.com
sewoqp.com
ahslae.com
caomcb.com
ldphou.com
oviaja.com
jonvgc.com
fhuozk.com
tqeccx.com
nietjs.com
zaywmw.com
piznyq.com
aqwzya.com
bupvxu.com
qpfpvq.com
nyuure.com
ollanf.com
crezza.com
ohyxyo.com
wobtox.com
lboddd.com
vyqauw.com
ijteyi.com
jgqovr.com
hpqblw.com
euwzqb.com
oxkbby.com
nbfrez.com
ekctur.com
eomivt.com
ilsckj.com
sceoid.com
pfyhgy.com
qtyqli.com
wooqss.com
ryuuid.com
lkdaoe.com
npolza.com
soetgc.com
lorbfr.com
wupeou.com
jfohja.com
nwciyv.com
kvlozh.com
gejhve.com
ayieea.com
rnwfjz.com
ynxoac.com
jueoog.com
utzkvh.com
adfvbp.com
fuvuib.com
gfvoce.com
altigi.com
vtaztk.com

%original file name%.exe_2556_rwx_00401000_00052000:

RCv=kAv.SCvc
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
c:\%original file name%.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
.rsrc
k?mSG
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)

chrome.exe_1848:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
D$,j.Xf
j.Yf;
_tcPVj@
.PjRW
Cv.SCv
ole32.dll
POWRPROF.dll
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
user32.dll
c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc
c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\build\slave\win-pgo\build\src\base\threading\thread_local_win.cc
0123456789
Histogram: %s recorded %d samples
(flags = 0x%x)
.syzygy
.thunks
Windows NT
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
UMA.CreatePersistentHistogram.Result
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
widevinecdmadapter.dll
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc
Removed incremental installer failure key; switching to channel:
Failed to write to application's ClientState key
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
chrome-sxs
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc
iexplore.exe
googlechrome
googlechromeframe
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_commands.cc
Cannot initialize AppCommands from an invalid key.
Skipping over key "
Failed to open key "
Cannot initialize an AppCommand from an invalid key.
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_command.cc
CHROME_MAIN_TICKS
user_experience_metrics.reporting_enabled
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\misc\uuid.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
create a new pipe and send its name via HANDLE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
pipe-name
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc
duplicate key
--annotation requires KEY=VALUE
--handshake-handle and --pipe-name are incompatible
--handshake-handle or --pipe-name is required
SetProcessShutdownParameters
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
reserved key
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %d.%d.%d.%s%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
kernel32.dll
c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateSize
GetCertificate
GetCertificateSizeByHandle
GetCertificateByHandle
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
::GetNamedPipeClientProcessId
\\.\pipe\crashpad_%d_
ImpersonateNamedPipeClient
ConnectNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
WinHttpCloseHandle
Crashpad/0.8.0
WinHttpOpen
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpReadData
%%x
--%s%sContent-Disposition: form-data; name="%s"
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
0x%llx   0x%llx (%s)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc
(0xx)
<failed to retrieve error message (0x%x)>
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_local_alloc.cc
WaitNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
TransactNamedPipe
SetNamedPipeHandleState
TransactNamedPipe: expected
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
SignalInitializeCrashReporting
chrome_elf.dll
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
ADVAPI32.dll
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHandleCount
KERNEL32.dll
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
WTSAPI32.dll
RPCRT4.dll
GetCPInfo
GetProcessHeap
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="54.0.2840.71" version="54.0.2840.71" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
3 3*363@3
6#6(60676
0%1X1y1
4"4'4-44494p4K5Z9j9t9}9
; ;%;7;>;^;
< =0=4=8=<=
6 6$6(6,60646
8-8C8}8
? ?$?(?,?0?4?8?<?
= =$=(=,=0=4=8=
5 5$5(5,5054585
? ?$?(?,?0?
= =@=\=`=
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
PreReadChromeChildInBrowser
${windows}
Ndebug.log
\StringFileInfo\xx\%ls
ntdll.dll
shell32.dll
script.log
resources.pak
chrome
pepflashplayer.dll
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
Chrome
chrome_child.dll
chrome.dll
Google Chrome Canary
Chrome Canary HTML Document
ChromeSSHTM
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
ChromeCanary
{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}
Google Chrome binaries
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
Google Chrome
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
ChromeHTML
Chrome HTML Document
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{5C65F4B0-3651-4514-B207-D10CB699B14B}
Google Chrome Frame
Chrome in a Frame.
Google\Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
WebAccessible
-chromeframe
-chrome
lSOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
pipe\
tgdi32.dll
xntdll.dll
Chrome_MessageWindow
Failed to create directory %ls, last error is %d
Chrome SxS\Application
winhttp.dll
54.0.2840.71
chrome_exe

%original file name%.exe_2556_rwx_00454000_00008000:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
USER32.dll
WINSPOOL.DRV
RegCloseKey
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb
1, 0, 0, 1
NewServers.EXE

%original file name%.exe_2556_rwx_0045D000_00016000:

Srv.exe
c:\6ea63b19ab915004dbcdd897be2732eaSrv.exe
kernel32.dll
.rsrc
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
KERNEL32.DLL
SHELL32.DLL
USER32.DLL
Gp.yR
106.42.73.61
2528-6142
nedwp.exe

zmnfmc.exe_620:

.rsrc
.rmnet
RCv=kAv.SCvc
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\zmnfmc.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
k?mSG
QoySsH
COMCTL32.dll
comdlg32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
WINSPOOL.DRV
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb
Srv.exe
C:\Windows\system32\zmnfmcSrv.exe
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
SHELL32.DLL
Gp.yR
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)
1, 0, 0, 1
NewServers.EXE
106.42.73.61
2528-6142
nedwp.exe

chrome.exe_1848_rwx_00090000_00001000:

w%Program Files%\Microsoft\DesktopLayer.exe

chrome.exe_1848_rwx_20010000_00009000:

.text
.rdata
@.data
.reloc
Srv.exe
kernel32.dll

zmnfmc.exe_620_rwx_00401000_00052000:

RCv=kAv.SCvc
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\zmnfmc.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
.rsrc
k?mSG
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)

iexplore.exe_1584:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

zmnfmc.exe_620_rwx_00454000_00008000:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
USER32.dll
WINSPOOL.DRV
RegCloseKey
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb
1, 0, 0, 1
NewServers.EXE

zmnfmc.exe_620_rwx_0045D000_00016000:

Srv.exe
C:\Windows\system32\zmnfmcSrv.exe
kernel32.dll
.rsrc
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
KERNEL32.DLL
SHELL32.DLL
USER32.DLL
Gp.yR
106.42.73.61
2528-6142
nedwp.exe

iexplore.exe_1584_rwx_00060000_00001000:

wC:\Windows\system32\zmnfmcSrv.exe

iexplore.exe_1584_rwx_20010000_00009000:

.text
.rdata
@.data
.reloc
Srv.exe
kernel32.dll

zmnfmc.exe_3876:

.rsrc
.rmnet
RCv=kAv.SCvc
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\zmnfmc.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
k?mSG
QoySsH
COMCTL32.dll
comdlg32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
WINSPOOL.DRV
Srv.exe
U.gYF
.cf8u
E%c[X
_.#.ud
`.PSK
C.Tjh)
E:\TB
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)
1, 0, 0, 1
NewServers.EXE

zmnfmc.exe_3876_rwx_00401000_00052000:

RCv=kAv.SCvc
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\zmnfmc.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
.rsrc
k?mSG
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)

zmnfmc.exe_3876_rwx_00454000_00001000:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
USER32.dll
WINSPOOL.DRV
RegCloseKey
1, 0, 0, 1
NewServers.EXE

zmnfmc.exe_3876_rwx_0045D000_00001000:

Srv.exe
kernel32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    6ea63b19ab915004dbcdd897be2732eaSrv.exe:1492
    zmnfmcSrv.exe:600

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Microsoft\DesktopLayer.exe (691 bytes)
    %Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
    C:\6ea63b19ab915004dbcdd897be2732eaSrv.exe (2374 bytes)
    C:\Windows\System32\zmnfmcSrv.exe (176 bytes)
    C:\Windows\System32\Server.ini (95 bytes)
    C:\Server.ini (95 bytes)
    C:\Windows\System32\zmnfmc.exe (1281 bytes)

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now