Backdoor.Bot.145152_ac880ae269

by malwarelabrobot on January 5th, 2015 in Malware Descriptions.

Trojan:Win32/EyeStye.N (Microsoft), Trojan-Spy.Win32.SpyEyes.ooi (Kaspersky), Trojan-Spy.Win32.Zbot.cgcy (v) (VIPRE), Trojan.PWS.SpySweep.52 (DrWeb), PWS-Zbot.gen.js (McAfee), Trojan-Spy.Win32.Zbot (Ikarus), Backdoor.Bot.145152 (FSecure), PSW.Generic9.XIQ (AVG), Win32:Nedsym-KI [Trj] (Avast), TROJ_GEN.RC1C8IN (TrendMicro), Backdoor.Bot.145152 (AdAware), Trojan.Win32.EyeStye.FD, TrojanEyeStye.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ac880ae269835e168588273c20ef4c6b
SHA1: f105677b0a419883cefdd73ad8374faae03b3fb2
SHA256: ffa7fac44815655506d93bc5b2cb29844ccc2c1fc829039128a43a67da585cc2
SSDeep: 3072:6vtuLrEJVGhiHXiYWP7KDRK2xdamxKMsNCXaB:YM4JVGaSzP7SprxvsYqB
Size: 130048 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: VideoPerformer
Created at: 2011-09-18 10:03:49
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

D0097DA1456.exe:1052
%original file name%.exe:608

The Backdoor injects its code into the following process(es):

mscorsvw.exe:1924
winlogon.exe:720
lsass.exe:776
svchost.exe:932
svchost.exe:1000
svchost.exe:1092
svchost.exe:1132
svchost.exe:1180
Explorer.EXE:1284
spoolsv.exe:1424
wmiprvse.exe:1792
jqs.exe:1972

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process D0097DA1456.exe:1052 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\siehu73.bin\8F1BBD4F1258962 (5 bytes)

Registry activity

The process D0097DA1456.exe:1052 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 02 A7 37 A6 56 BE 77 5A 91 5E 7D 85 D3 00 B9"

The process %original file name%.exe:608 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 F5 CC 91 09 AA 1E 7E 8D DD D4 90 CE 1B 3B 76"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpAddRequestHeadersA
HttpOpenRequestA
InternetQueryOptionA

The Backdoor installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Backdoor installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Backdoor installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Backdoor installs the following user-mode hooks in WS2_32.dll:

send

The Backdoor installs the following user-mode hooks in ntdll.dll:

NtVdmControl
ZwSetInformationFile
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1932 2048 4.25878 072948f135a09049b41323d2b4fd1603
.rdata 8192 1180 1536 3.04948 13876e6549eb030c59d5394a1a4a9316
.data 12288 250532 512 0.014135 598e1aae6ecbd8237c4383f4be94b9f1
.rsrc 266240 124824 124928 5.36903 0a16248c3c6f0cc3cc0a5cfe9d5b0d93

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e10088.dscb.akamaiedge.net/
hxxp://www.microsoft.com/ 184.86.40.154


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
Host: VVV.microsoft.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Last-Modified: Mon, 16 Mar 2009 20:35:26 GMT
Accept-Ranges: bytes
ETag: "67991fbd76a6c91:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1020
Date: Sun, 04 Jan 2015 10:47:58 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
<html><head><title>Microsoft Corporation</title&g
t;<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"><
;/meta><meta http-equiv="Content-Type" content="text/html; chars
et=utf-8"></meta><meta name="SearchTitle" content="Microso
ft.com" scheme=""></meta><meta name="Description" content=
"Get product information, support, and news from Microsoft." scheme=""
></meta><meta name="Title" content="Microsoft.com Home Pag
e" scheme=""></meta><meta name="Keywords" content="Microso
ft, product, support, help, training, Office, Windows, software, downl
oad, trial, preview, demo,  business, security, update, free, computer
, PC, server, search, download, install, news" scheme=""></meta&
gt;<meta name="SearchDescription" content="Microsoft.com Homepage" 
scheme=""></meta></head><body><p>Your curre
nt User-Agent string appears to be from an automated process, if this 
is incorrect, please click this link:<a href="hXXp://VVV.microsoft.
com/en/us/default.aspx?redir=true">United States English Microsoft 
Homepage</a></p></body></html>..HTTP/1.1 200 O
K..Cache-Control: no-cache..Content-Type: text/html..Last-Modified: Mo
n, 16 Mar 2009 20:35:26 GMT..Accept-Ranges: bytes..ETag: "67991fbd76a6
c91:0"..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..Content-Leng
th: 1020..Date: Sun, 04 Jan 2015 10:47:58 GMT..Connection: keep-alive.
.X-CCC: CA..X-CID: 2..<html><head><title>Microso
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

winlogon.exe_720_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

lsass.exe_776_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_932_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1000_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1092_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1132_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1180_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

Explorer.EXE_1284_rwx_013D0000_00002000:

!EYEc:\%original file name%.exe
C:\siehu73.bin\
D0097DA1456.exe
3I5uDO1CyWX.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows

Explorer.EXE_1284_rwx_01C30000_00006000:

.text
`.rdata
@.data
.reloc
PSSSSSSh
Advapi32.dll
guid=%s&ver=%u&ie=%s&os=%u.%u.%u&ut=%s&ccrc=X&md5=%s&plg=%s&plgstat=%s&wake=%u
%s&stat=online
hXXp://VVV.microsoft.com
%s&%s
ntdll.dll
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
ADVAPI32.dll
customconnector.dll
TakeBotExeMd5Callback
TakeStartExe
TakeUpdateBotExe
Content-Type: application/x-www-form-urlencoded
5.1.2600!XP3!A8A67A25
hXXp://safeinetscripts.net:8080/ll382hfs.php

Explorer.EXE_1284_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

Explorer.EXE_1284_rwx_0BB60000_0005A000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

spoolsv.exe_1424_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

wmiprvse.exe_1792_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

mscorsvw.exe_1924_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

jqs.exe_1972_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
nspr4.dll
set_url
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
X X
%d.%d.%d
keys
http:
urlmask
cert
seieapiXX
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
Host: %s
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\siehu73.bin\8F1BBD4F1258962
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\siehu73.bin\D0097DA1456.exe
C:\siehu73.bin\
D0097DA1456.exe
IS9QVCA.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP3!A8A67A25
siehu73.bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
$0)0.252
2%2X2u2
>*>4>:>~>
6#6*61686{6
4^4*696\6
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
c(GMT %su:u) %s
RapportTanzan36.
RapportKoan.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    D0097DA1456.exe:1052
    %original file name%.exe:608

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    C:\siehu73.bin\8F1BBD4F1258962 (5 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now